Difference between aud in custom authrization server and ClientId

jelbatnigi · March 4, 2020, 9:28pm

I have a SPA client that authenticates and gets back a token with aud equals to the client ID. Now if I want to use this token to validate against my authorization server it will fail because the authorization server has a different aud.
in the OKTA documentation it states that Audience in the authorization server should equals to the API url. so If I try to authenticate using the authorization server I still get the client Id as aud and not what I specified in the auth server.

Can someone explain the difference here?

Govner · March 4, 2020, 9:46pm

That should be the case for an id token: https://developer.okta.com/docs/guides/validate-id-tokens/overview/#verify-the-claims but the access token should have the audience specific to the downstream API (resource server): https://developer.okta.com/docs/guides/validate-access-tokens/overview/#verify-the-claims

jelbatnigi · March 6, 2020, 9:30pm

Ok Thanks that works. now I am able to get the proper aud in the access token. One thing though…
In my angular app I am trying to get the identity claims using
oauthService.getIdentityClaims()
The claims that I get are from the id token. How can I get the identity claims from the access token instead?

system · January 23, 2024, 10:48pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.