Skip to content

Commit f84c44f

Browse files
committed
fix(okta): accept client_id as valid audience for ID token verification
1 parent b5ce48d commit f84c44f

1 file changed

Lines changed: 6 additions & 1 deletion

File tree

keep/identitymanager/identity_managers/okta/okta_authverifier.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,12 +98,17 @@ def _verify_bearer_token(self, token: str = Depends(oauth2_scheme)) -> Authentic
9898
# Get the signing key directly from the JWT
9999
signing_key = self.jwks_client.get_signing_key_from_jwt(token).key
100100

101+
# Build accepted audiences: always include client_id (ID token aud)
102+
# and optionally the configured OKTA_AUDIENCE (access token aud).
103+
audiences = [self.okta_client_id] if self.okta_client_id else []
104+
if self.okta_audience and self.okta_audience != self.okta_client_id:
105+
audiences.append(self.okta_audience)
101106
# Decode and verify the token
102107
payload = jwt.decode(
103108
token,
104109
key=signing_key,
105110
algorithms=["RS256"],
106-
audience=self.okta_audience or self.okta_client_id,
111+
audience=audiences or None,
107112
issuer=self.okta_issuer,
108113
options={"verify_exp": True}
109114
)

0 commit comments

Comments
 (0)