Hi All,
We have a ASP.Net Core API which is being called from a React JS Application (SPA). In API, we validate the Audience so that only token which are issued to this ClientId can call our API. The code to validate Audience is below in startup.cs.
.AddJwtBearer(options =>
{
options.Authority = Configuration[“Okta:Domain”];
options.TokenValidationParameters = new TokenValidationParameters
{
RequireSignedTokens = true,
ClockSkew = TimeSpan.FromMinutes(5),
RequireExpirationTime = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidateAudience = true,
ValidateIssuer = true,
ValidIssuer = Configuration[“Okta:Domain”],
ValidAudiences = new[] { “<<clientid_1>>” }
};
});
Now, we will have a new client calling our API and that client will be using Client Credential Flow to call this API. The audience value being passed in token for this new client is api://default and client id is passed in cid field instead.
However, if I set ValidAudiences = new[] { “<<clientid_1>>”, “api://default” } then that will not be good as a third client which is not supposed to call our API will be able to call it using Client Credential Flow as for that third client also the audience will be “api://default”.
So, question is that how can I validate caller Audience Id in case of OIDC and caller CID in case of Client Credentials, using same code like the one above in my API.