I have a SPA client that authenticates and gets back a token with aud equals to the client ID. Now if I want to use this token to validate against my authorization server it will fail because the authorization server has a different aud.
in the OKTA documentation it states that Audience in the authorization server should equals to the API url. so If I try to authenticate using the authorization server I still get the client Id as aud and not what I specified in the auth server.
Can someone explain the difference here?