When Amazon Cognito issues access tokens it doesn't include an aud field.
In the documentation for Cognito tokens, the aud field is listed for id tokens (always set to the same value as client_id), but not for access tokens.
The relevant section of the JWT specification says:
If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.
So, what's going on here. Who's right? Is this a security concern?
I notice that the iss section of the token is specific to my user pool, and that can't have been tampered with, since it's signed by Amazon, so I think I should be safe
OAuth 2 and JWT are very confusing though, so I wanted to get more opinions.
From my reading of the RFC I do not think that AWS is doing anything wrong, specifically (note my emphisis):
If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.
Use of this claim is OPTIONAL.
Which, I believe, means that AWS is fine, because it's simply omitting the claim in the case of the access token, but it is identifying itself (in it's own way), by setting it to client_id when it does make the claim on the id token.
It should be noted that the access token itself does encode and enforce the audience; in that when you use it against AWS' APIs it will enforce that you only receive the resources available on the client_id/scope that it was issued for.