Who is the Audience of OAuth 2.0 Access Token?

I have been introducing OAuth and OIDC flows to
Japanese web application developers while writing sequence diagrams.
But I may have forgotten to tell them something very important.

• When I talked about the issue of Token substitution attacks in the OAuth 2.0 Implicit flow, I introduced Google’s TokenInfo API as a mitigation. Google’s API puts the client_id in the “aud” value of the JSON response. (Link)
• Since OIDC started, I explained the contents of IDToken as detailed as possible. Of course, the recipient of the OIDC IDToken is the Client (Relying Party).

Some developers who remembered this believed that the recipient of the OAuth 2.0 AccessToken was the Client.
And they were a bit confused when they saw related specifications like Token Instropection, JWT Profile for Access Token, Resource Indicators.

The audiences of tokens handled in OAuth 2.0 and OIDC flows are different.

• Authorization Code : Authorization Server(Token Endpoint)
• Access Token : Resource Server(Resource Endpoint)
• Refresh Token : Authorization Server(Token Endpoint)
• OIDC IDToken : Client

All of these tokens are issued by the Authorization Server, but for “audience” we need to focus on who will process it last.
Keep these differences in mind when implementing these tokens in the JWT.

Nat’s this video explains everything simply.
When I introduce OAuth in the future, I promise to show his YouTube channel first.