Difference between aud in custom authrization server and ClientId

jelbatnigi · March 4, 2020, 9:28pm

I have a SPA client that authenticates and gets back a token with aud equals to the client ID. Now if I want to use this token to validate against my authorization server it will fail because the authorization server has a different aud.
in the OKTA documentation it states that Audience in the authorization server should equals to the API url. so If I try to authenticate using the authorization server I still get the client Id as aud and not what I specified in the auth server.

Can someone explain the difference here?

Govner · March 4, 2020, 9:46pm

That should be the case for an id token: https://developer.okta.com/docs/guides/validate-id-tokens/overview/#verify-the-claims but the access token should have the audience specific to the downstream API (resource server): https://developer.okta.com/docs/guides/validate-access-tokens/overview/#verify-the-claims

jelbatnigi · March 6, 2020, 9:30pm

Ok Thanks that works. now I am able to get the proper aud in the access token. One thing though…
In my angular app I am trying to get the identity claims using
oauthService.getIdentityClaims()
The claims that I get are from the id token. How can I get the identity claims from the access token instead?

system · January 23, 2024, 10:48pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
OpenID connect and OAuth 2.0 API Questions	4	1786	February 15, 2024
Get user claims from access token not token id Questions	3	4725	March 11, 2020
Validate Okta Audience Questions	4	4556	February 11, 2020
Oauth2/default/v1 or oauth2/v1 OAuth/OIDC	4	6811	January 21, 2020
Can I trust the access token sub claim for identifying user? Questions	6	12190	February 4, 2022

Difference between aud in custom authrization server and ClientId

Related topics