JWT tokens, clientId required to equal aud

When using OpenID connect and JWT access token, tyk requires client_id to equal or subset aud.

A token containing
“client_id”:“ApiUser_1”, “aud”:“ApiGateway”

will throw validation error. (aud can be a list, but example kept simple here)

This seems to be a very rigid interpretation of the specification of audiences. There is not much value in checking that two fields within a token is equal, I would think.

Is this the way it is intended?

The code performing the validation can be found in idtokenvalidator.go, func validateAudiences

In this case this code follows OpenID RFC Final: OpenID Connect Core 1.0 incorporating errata set 1

aud

REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.

So it says that it always MUST contain client id, and custom values are optional.
So in your case it can look like: "aud': ["<client-id>", "ApiGateway"]

I see.

A peculiar workaround is that if I just add an extra client ID in the configuration, it does validate.

Example :

API configured with

ClientID=ID1 mapped to Policy1
ClientID=Audience1 mapped to Policy1

Then a token with “client_id=ID1, aud=Audience1” validates.