we have an API which is developed in ASP.Net web API Core which has been consumed by multiple application , we used JWT middleware (configure method) to configure authority with single audience clientId. My question is since our application is used by multiple client I think we should have clientId for each application, In this case how will I use JWT middleware since it is configured to use single audience, how can i change clientID at run time based on client which is making the request ?
Based on the information you provided it seems like you’re sending tokens issued for the client applications (the audience is the client application) to the API itself. In general this is not recommended and leads to situation such as this one.
The recommended approach would be for the API to receive tokens issued with an audience that represents the API; this would make the single audience configuration a non-issue as the API would only have a single identifier.
You can read more about it in: Authentication and Authorization Flows
Thanks for the update. This is what we did, we registered API we configured API under non interactive client section and we added API as a audience for client, currently it worked for us for single client and should work for any other client. One issue we are facing we added app_metadata now with that Token length got increased just want to make sure there wont be any issue with Token length in request header ?
Thanks for the update. This is what we did, we registered API we configured API under non interactive client section and we added API as a audience for client, currently it worked for us for single client and should work for any other client. One issue we are facing we added app_metadata now with that Token length got increased just want to make sure there wont be any issue with Token length in request header ?
Unless it’s a huge amount of data you should okay. In terms of the JWT token format there’s mo maximum length, but issues may arise depending on where it’s used. For example, browsers impose limits on the length of an URL, web servers impose limits on size of HTTP headers. The definitive answer would depend on varying answers.