Validate Okta Audience


I’m working in a project that contains 2 different apps (iOS Native App, DotNetCore Web App) and a middleware (also in dotnet).
Both apps need to login using Okta SDK and then call some endpoints in the middleware, that should take the access token and validate it also using the Okta SDK.

The problem is that i get different audiences from both apps…
in the iOS app i get api://default but in the web app i get the ClientId and i can’t find a way to make both work.

What can i do to fix this? is it possible to override DefaultTokenValidationParameters in the SDK to disable Audience Validation?

First thing to note is that you’re going to want to update it so that the middleware and the web/native applications are using the same Authorization Server.

The fact that you see the Client ID as the ‘aud’ for your Web App makes me think that you are trying to validate an ID token (unless you made a custom Authorization Server where you set the audience to the client ID yourself, of course), as the ‘aud’ in an ID token will always be the OAuth/OIDC client ID.

Can you ensure that you are only trying to validate access tokens? It sounds like your iOS application is looking at an access token issued by the ‘default’ authorization server, so you just want to make sure your .NET web app is as well.

1 Like

Thank you!!
i didn’t notice that i was using id_token instead of access_token :sweat_smile:

No problem! Good luck with your project!