Question about verify_client_id: Why verify against aud instead of cid? #83
Description
Hi Okta team,
I was reviewing the verify_client_id function and noticed that it verifies the client_id against the aud (audience) claim:
def verify_client_id(self, aud):
"""Verify client_id match aud or one of its elements."""
if isinstance(aud, str):
if aud != self.client_id:
raise JWTValidationException('Claim "aud" does not match Client ID.')
elif isinstance(aud, list):
for elem in aud:
if elem == self.client_id:
return
raise JWTValidationException('Claim "aud" does not contain Client ID.')
else:
raise JWTValidationException('Claim "aud" has unsupported format.')I wanted to clarify the design decision here. Shouldn't the function check the cid claim instead of aud when verifying the client ID?
"aud": "api://default",
"iat": 1748597344,
"exp": 1748600944,
"cid": "0oa***",From what I understand:
In ID tokens, aud typically is the client ID, so this check makes sense.
But in Okta access tokens, aud refers to the API/resource server, and the client ID appears as a cid claim.
Could you please confirm:
Is this verifier intended strictly for ID tokens?
If so, then checking aud == client_id makes sense.
If access tokens are also supported, should cid be verified instead?