AZP check on IDToken requires SPA client_id as audience?!

FullStackFool · March 8, 2022, 4:57pm

Please include the following information in your post:

Which SDK this is regarding: auth0-php
SDK Version: e.g. 8.1
Platform Version: php 8.1
Code Snippets/Error Messages/Supporting Details/Screenshots: 8.0: AZP is now checked against the audience · Issue #606 · auth0/auth0-PHP · GitHub

As per the linked issue on the auth0-php package, when validating an ID token in an API you now need to include the SPA’s (application’s) client_id as an audience, as the package now validates the azp claim against the audience array.

This seems counter-intuative; The audience is an identifier, or array of identifiers, of resource servers the token is valid for. The azp is the identifier of the origin, or the authorised party. Why are we now required to validate the id of the origin against an array of targets?!
This now means that if you have an API which is targetted by multiple different SPAs (applications) then all of the SPA client_ids need to be included in that API’s audience configuration - which is tedious as hell. Is there anyway in the dashboard to avoid having to do this?

Thank you in advance.

dan.woda · March 8, 2022, 7:01pm

Hi @FullStackFool!

It looks like the maintainer of that SDK was able to respond in the GH issue you linked. I am going to repost their response here for the benefit of other users:

Hi @fullstackfool Yes, that’s working as intended. In your case, you may need to pass the client_id of your SPA as an audience value in the array for the claim to validate correctly.

I’m curious why you are sending the ID token to your resource server and not the access token. I typically see the ID token consumed by frontend client and the access token used to request resources from the backend API/resource server.

FullStackFool · March 9, 2022, 9:39am

I’m curious why you are sending the ID token to your resource server and not the access token

Just a miss-type, meant access token.

I appreciated their response, but wanted to take this topic deeper. They don’t want to enable Github Discussions on that repo, so figured here would be best.

This question is going to come up a lot from users, I think:

This now means that if you have an API which is targetted by multiple different SPAs (applications) then all of the SPA client_id s need to be included in that API’s audience configuration - which is tedious as hell. Is there anyway in the dashboard to avoid having to do this?