Hi,
My question is about the way an Access Token is checked by the okta-jwt-verifier-php bundle for Symfony.
When calling the verifyAccesToken method, the function performs a check against the client ID : okta-jwt-verifier-php/JwtVerifier.php at develop · okta/okta-jwt-verifier-php · GitHub
But this check doesn’t seem to be part of the protocol : Validate Access Tokens
In my case I use this bundle for an API. But several client App, with different client_id need to make authenticated API calls.
As a workaround when building the JwtVerifier I set the clientId as the one found in the token:
$clientId = $payload['cid']
$jwtVerifier = (new JwtVerifierBuilder($request))
->setDiscovery(new Oauth)
->setAdaptor(new FirebasePhpJwt($request))
->setAudience("myAudience")
->setClientId($clientId)
->build();
But I wonder what were the reasons that lead to force client_id check for the Access Token? What are the best practices when different client App need to call a single API?