Please include the following information in your post:
- Which SDK this is regarding: auth0-php
- SDK Version: e.g. 8.1
- Platform Version: php 8.1
- Code Snippets/Error Messages/Supporting Details/Screenshots: 8.0: AZP is now checked against the audience · Issue #606 · auth0/auth0-PHP · GitHub
As per the linked issue on the auth0-php package, when validating an ID token in an API you now need to include the SPA’s (application’s) client_id
as an audience, as the package now validates the azp
claim against the audience
array.
-
This seems counter-intuative; The audience is an identifier, or array of identifiers, of resource servers the token is valid for. The
azp
is the identifier of the origin, or the authorised party. Why are we now required to validate the id of the origin against an array of targets?! -
This now means that if you have an API which is targetted by multiple different SPAs (applications) then all of the SPA
client_id
s need to be included in that API’s audience configuration - which is tedious as hell. Is there anyway in the dashboard to avoid having to do this?
Thank you in advance.