When using OpenID connect and JWT access token, tyk requires client_id to equal or subset aud.
A token containing
“client_id”:“ApiUser_1”, “aud”:“ApiGateway”
will throw validation error. (aud can be a list, but example kept simple here)
This seems to be a very rigid interpretation of the specification of audiences. There is not much value in checking that two fields within a token is equal, I would think.
Is this the way it is intended?
The code performing the validation can be found in idtokenvalidator.go, func validateAudiences
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
So it says that it always MUST contain client id, and custom values are optional.
So in your case it can look like: "aud': ["<client-id>", "ApiGateway"]