From 8ccc03fdb60a8d9a295c6bf9aa875a9ed09bd758 Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Fri, 26 May 2023 14:24:31 -0600
Subject: [PATCH] Update Resource Server Docs

Closes gh-13147
---
 .../servlet/oauth2/resource-server/jwt.adoc   | 29 ++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
index b37afcef38..3d4baef203 100644
--- a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
+++ b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
@@ -132,6 +132,30 @@ We still specify the `issuer-uri` so that Resource Server still validates the `i
 [NOTE]
 This property can also be supplied directly on the <<oauth2resourceserver-jwt-jwkseturi-dsl,DSL>>.
 
+== Supplying Audiences
+
+As already seen, the <<_specifying_the_authorization_server, `issuer-uri` property validates the `iss` claim>>; this is who sent the JWT.
+
+Boot also has the `audiences` property for validating the `aud` claim; this is who the JWT was sent to.
+
+A resource server's audience can be indicated like so:
+
+[source,yaml]
+----
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: https://idp.example.com
+          audiences: https://my-resource-server.example.com
+----
+
+[NOTE]
+You can also add <<oauth2resourceserver-jwt-validation-custom, the `aud` validation programmatically>>, if needed.
+
+The result will be that if the JWT's `iss` claim is not `https://idp.example.com`, and its `aud` claim does not contain `https://my-resource-server.example.com` in its list, then validation will fail.
+
 [[oauth2resourceserver-jwt-sansboot]]
 == Overriding or Replacing Boot Auto Configuration
 
@@ -1051,7 +1075,7 @@ By default, Resource Server configures a clock skew of 60 seconds.
 [[oauth2resourceserver-jwt-validation-custom]]
 === Configuring a Custom Validator
 
-Adding a check for the `aud` claim is simple with the `OAuth2TokenValidator` API:
+Adding a check for <<_supplying_audiences, the `aud` claim>> is simple with the `OAuth2TokenValidator` API:
 
 ====
 .Java
@@ -1159,6 +1183,9 @@ fun jwtDecoder(): JwtDecoder {
 ----
 ====
 
+[TIP]
+As stated earlier, you can instead <<_supplying_audiences, configure `aud` validation in Boot>>.
+
 [[oauth2resourceserver-jwt-claimsetmapping]]
 == Configuring Claim Set Mapping