IdentityServer · leastprivilege · Oct 23, 2019 · Oct 22, 2019 · Oct 22, 2019
diff --git a/docs/reference/options.rst b/docs/reference/options.rst
@@ -11,6 +11,8 @@ IdentityServer Options
 
 * ``AccessTokenJwtType``
     Specifies the value used for the JWT typ header for access tokens (defaults to ``at+jwt``).
+* ``EmitLegacyResourceAudienceClaim``
+    Emits an ``aud`` claim with the format issuer/resources. That's needed for some older access token validation plumbing. Defaults to false.
 
 Endpoints
 ^^^^^^^^^

diff --git a/src/IdentityServer4/src/Configuration/DependencyInjection/Options/IdentityServerOptions.cs b/src/IdentityServer4/src/Configuration/DependencyInjection/Options/IdentityServerOptions.cs
@@ -36,6 +36,11 @@ public class IdentityServerOptions
         /// </value>
         public string AccessTokenJwtType { get; set; } = "at+jwt";
 
+        /// <summary>
+        /// Emits an aud claim with the format issuer/resources. That's needed for some older access token validation plumbing. Defaults to false.
+        /// </summary>
+        public bool EmitLegacyResourceAudienceClaim { get; set; } = false;
+
         /// <summary>
         /// Gets or sets the endpoint configuration.
         /// </summary>

diff --git a/src/IdentityServer4/src/Services/Default/DefaultTokenService.cs b/src/IdentityServer4/src/Services/Default/DefaultTokenService.cs
@@ -58,6 +58,11 @@ public class DefaultTokenService : ITokenService
         /// </summary>
         protected readonly IKeyMaterialService KeyMaterialService;
 
+        /// <summary>
+        /// The IdentityServer options
+        /// </summary>
+        protected readonly IdentityServerOptions Options;
+
         /// <summary>
         /// Initializes a new instance of the <see cref="DefaultTokenService" /> class.
         /// </summary>
@@ -67,6 +72,7 @@ public class DefaultTokenService : ITokenService
         /// <param name="contextAccessor">The HTTP context accessor.</param>
         /// <param name="clock">The clock.</param>
         /// <param name="keyMaterialService"></param>
+        /// <param name="options">The IdentityServer options</param>
         /// <param name="logger">The logger.</param>
         public DefaultTokenService(
             IClaimsService claimsProvider, 
@@ -75,6 +81,7 @@ public DefaultTokenService(
             IHttpContextAccessor contextAccessor, 
             ISystemClock clock, 
             IKeyMaterialService keyMaterialService,
+            IdentityServerOptions options,
             ILogger<DefaultTokenService> logger)
         {
             Context = contextAccessor;
@@ -83,6 +90,7 @@ public DefaultTokenService(
             CreationService = creationService;
             Clock = clock;
             KeyMaterialService = keyMaterialService;
+            Options = options;
             Logger = logger;
         }
 
@@ -199,6 +207,11 @@ public virtual async Task<Token> CreateAccessTokenAsync(TokenCreationRequest req
                 AccessTokenType = request.ValidatedRequest.AccessTokenType
             };
 
+            if (Options.EmitLegacyResourceAudienceClaim)
+            {
+                token.Audiences.Add(string.Format(IdentityServerConstants.AccessTokenAudience, issuer.EnsureTrailingSlash()));
+            }
+
             foreach(var api in request.Resources.ApiResources)
             {
                 if (api.Name.IsPresent())