I’m using Tyk Gateway + Tyk Operator in a Kubernetes cluster. I have ApiDefinition and SecurityPolicy configured to validate JWT token (Auth0) for my API. All works well.
As our IdP may issue valid JWT tokens for different audiences, I want to ensure that when validating requests to /foo, the JWT token contains an aud claim with the value foo-audience. And if requests are sent to /bar, then the JWT token must contain an aud claim bar-audience.
I couldn’t find a setting that allows me to tell Tyk what audience value to check for when validating the JWT token. Is there a way to do so?
I found this topic) that suggests that Tyk does perform some sort of aud validation.