VerifyJWT Policy Audience Claim Message Templating

Is there a specific reason why the <Audience> claim does not support message templating? Or is that in the roadmap?

The aud claim for Production vs Staging is different in my case and ideally i'd like to load that from a KVM. The workaround for now is to omit that from the VerifyJWT policy and evaluate/raise a fault in a Javascript Callout but it would be much cleaner if the Audience supported message templating.

Solved Solved
0 2 167
1 ACCEPTED SOLUTION

Hi @Chris Wright, AFAIK, <Audience> claim does support message templating.

Here's my code that I quickly tested; <Audience> was read from KVM; (put this policy before VerifyJWT policy to read from KVM, of course)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" name="Kvm-Okta" mapIdentifier="okta-aud">
    <DisplayName>KVM-OKTA-Audience</DisplayName>
    <Properties/>
    <ExclusiveCache>false</ExclusiveCache>
    <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
    <Get assignTo="aud" index="1">
        <Key>
            <Parameter>aud</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

Here's VerifyJWT policy (in order after read from KVM)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="VerifyJWT">
    <DisplayName>VerifyJWT</DisplayName>
    <Algorithm>RS256</Algorithm>
    <Source>authn.jwt</Source>
    <PublicKey>
        <JWKS ref="cached.okta.jwks"/>
    </PublicKey>
    <Subject>0oaaj12345678910</Subject>
    <Issuer>https://dev-xxxxxx.okta.com/oauth2/default</Issuer>
    <Audience ref="aud"/>
    <AdditionalClaims>
        <Claim name="cid">0oaaj12345678910</Claim>
    </AdditionalClaims>
</VerifyJWT>

Most important one is this line;

<Audience ref="aud"/>

I hope this helps.

View solution in original post

2 REPLIES 2

Hi @Chris Wright, AFAIK, <Audience> claim does support message templating.

Here's my code that I quickly tested; <Audience> was read from KVM; (put this policy before VerifyJWT policy to read from KVM, of course)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" name="Kvm-Okta" mapIdentifier="okta-aud">
    <DisplayName>KVM-OKTA-Audience</DisplayName>
    <Properties/>
    <ExclusiveCache>false</ExclusiveCache>
    <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
    <Get assignTo="aud" index="1">
        <Key>
            <Parameter>aud</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

Here's VerifyJWT policy (in order after read from KVM)

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT async="false" continueOnError="false" enabled="true" name="VerifyJWT">
    <DisplayName>VerifyJWT</DisplayName>
    <Algorithm>RS256</Algorithm>
    <Source>authn.jwt</Source>
    <PublicKey>
        <JWKS ref="cached.okta.jwks"/>
    </PublicKey>
    <Subject>0oaaj12345678910</Subject>
    <Issuer>https://dev-xxxxxx.okta.com/oauth2/default</Issuer>
    <Audience ref="aud"/>
    <AdditionalClaims>
        <Claim name="cid">0oaaj12345678910</Claim>
    </AdditionalClaims>
</VerifyJWT>

Most important one is this line;

<Audience ref="aud"/>

I hope this helps.

Awesome thanks! Just couldn't find that anywhere in the documentation it seemed like it was not supported for that particular field. I'll leave feedback on that doc to hopefully get it updated.