I am building an internal flask app where I need to connect via Okta and I am using the OpenID connect along with OAuth 2.0
I am noticing that I receive the authorization_code correctly when using the v1/authorize endpoint.
However when I call the /v1/token endpoint which includes the audience parameter (set to client_id) , the access_token which is generated changes the audience to be the issuerURL.
I am not understanding why that happens. Anyone here encountered a similar issue?
Within the Access Token, you should see that the Audience is your Okta domain when using the Org Authorization Server. The Authorization Server is the one that controls the audience set in the token. When you are using a Custom Authorization Server, the
aud claim will match the one that you set for the authorization server in question.
Thanks Andrea. I can see on my app sign-on settings that the audience is set to client_id
Is there a reason the auth server would have a different setting and would return the access_token with an audience which equals the issuer_url?
Ah, are you referring to the section headed “OpenID Connect ID Token?”
The information there is about the claims returned in ID token, not the Access Token: