Please include the following information in your post:
- Which SDK this is regarding: auth0-php
- SDK Version: e.g. 8.1
- Platform Version: php 8.1
- Code Snippets/Error Messages/Supporting Details/Screenshots: 8.0: AZP is now checked against the audience · Issue #606 · auth0/auth0-PHP · GitHub
As per the linked issue on the auth0-php package, when validating an ID token in an API you now need to include the SPA’s (application’s)
client_id as an audience, as the package now validates the
azp claim against the
This seems counter-intuative; The audience is an identifier, or array of identifiers, of resource servers the token is valid for. The
azpis the identifier of the origin, or the authorised party. Why are we now required to validate the id of the origin against an array of targets?!
This now means that if you have an API which is targetted by multiple different SPAs (applications) then all of the SPA
client_ids need to be included in that API’s audience configuration - which is tedious as hell. Is there anyway in the dashboard to avoid having to do this?
Thank you in advance.