My question is about the way an Access Token is checked by the okta-jwt-verifier-php bundle for Symfony.
When calling the verifyAccesToken method, the function performs a check against the client ID : okta-jwt-verifier-php/JwtVerifier.php at develop · okta/okta-jwt-verifier-php · GitHub
But this check doesn’t seem to be part of the protocol : Validate Access Tokens
In my case I use this bundle for an API. But several client App, with different client_id need to make authenticated API calls.
As a workaround when building the JwtVerifier I set the clientId as the one found in the token:
$clientId = $payload['cid'] $jwtVerifier = (new JwtVerifierBuilder($request)) ->setDiscovery(new Oauth) ->setAdaptor(new FirebasePhpJwt($request)) ->setAudience("myAudience") ->setClientId($clientId) ->build();
But I wonder what were the reasons that lead to force client_id check for the Access Token? What are the best practices when different client App need to call a single API?