Hello @Christofer Cousins
Here's a high-level overview of how you might approach this:
- Adding an Audience to an ID or Access Token: The
aud
(audience) claim in a JWT is meant to refer to the Resource Servers that should accept the token. In general, the audience of a token is the intended recipient of the token. It's possible to have more than one audience in a JWT. However, the consumer of the token only identifies as a single audience. In this case, the consumer accepts and validates a token only if his own audience is in the audience claims of the token. - Audience Override Claim: If the
audienceOverride
claim is causing authentication to fail for the web app because the application URI/ID is no longer in the audience, you might need to reconsider its usage. It's important to ensure that the defaultaud
claim remains in the token for authentication in your web app. - Creating a Separate Web API App: If you're creating a separate web API app to generate a new JWT token for authenticated users through your web app, you'll need to ensure that the initial ID token's roles and claims are persisted. This can be complex, but there are resources available that discuss how to authenticate users given the initial ID token and persist the roles and claims within it
- More Than One Audience in a JWT: Whether you should try to have more than one audience in a JWT depends on your specific use case. If you have multiple APIs that can be used by multiple clients, having more than one audience per API could potentially simplify your authentication process.
Remember, it's crucial to ensure the security of your authentication process. If you're unsure, it may be beneficial to consult with a security expert or conduct a security audit of your system. Always prioritize the security and privacy of your users' data.
I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.