Validate Audience from Client Credential and OIDC Token using consistent code

Hi All,

We have a ASP.Net Core API which is being called from a React JS Application (SPA). In API, we validate the Audience so that only token which are issued to this ClientId can call our API. The code to validate Audience is below in startup.cs.

.AddJwtBearer(options =>
options.Authority = Configuration[“Okta:Domain”];
options.TokenValidationParameters = new TokenValidationParameters
RequireSignedTokens = true,
ClockSkew = TimeSpan.FromMinutes(5),
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidIssuer = Configuration[“Okta:Domain”],
ValidAudiences = new[] { “<<clientid_1>>” }

Now, we will have a new client calling our API and that client will be using Client Credential Flow to call this API. The audience value being passed in token for this new client is api://default and client id is passed in cid field instead.

However, if I set ValidAudiences = new[] { “<<clientid_1>>”, “api://default” } then that will not be good as a third client which is not supposed to call our API will be able to call it using Client Credential Flow as for that third client also the audience will be “api://default”.

So, question is that how can I validate caller Audience Id in case of OIDC and caller CID in case of Client Credentials, using same code like the one above in my API.

I may be wrong, but you probably use wrong terminology here. Client Credentials is OIDC flow used by machine-to-machine communication, but still it uses a token issued by authorization server. Audience is a claim in JWT, so it’ll be cooked by your authz server and will have the same audience