Question posted in 
I’m getting the same value but s differently formatted aud claim of my JWT when using client_credential and authorization_code grant types when using the same client id and requested scope using B2C User flows.
Interactive Auth Code Flow
scope: https://<mytenant>.onmicrosoft.com/177da752-d895-4325-8aee-d6e459bee811/<permission>
grant_type:authorization_code
jwt value:
"aud": "177da752-d895-4325-8aee-d6e459bee811"
Non-Interactive Client Credentials Flow
scope:https://<mytenant>.onmicrosoft.com/177da752-d895-4325-8aee-d6e459bee811/.default
grant_type:client_credentials
jwt value: "aud": "https://<mytenant>.onmicrosoft.com/177da752-d895-4325-8aee-d6e459bee811"
Is this by design?
Thanks in advance.
2
Answers
Yes.
Client credentials have the context of an application, while code grant has the context of a user.
It looks like there is some confusion between the
audandsubJWT claims in the example you provided.In your case, since you are using the same client ID and (assuming) you are targeting the same resource in both the authorization code and the client credentials flows, you would expect the
audclaim to be identical in both tokens. The different values you are seeing are unusual. It might be due to some misconfiguration or how the token endpoint is implemented, maybe ask the provider for clarification? remember, theaudclaim is about the where the token is going, not who is using it. the ‘who’ part is represented by thesubclaim. this is explained in RFC 7519.So, long story short: if the client is meant to access "api.my-domain.com", then this should always be the
audvalue in your JWT, regardless of whether it’s obtained through the Interactive Auth Code or the Non-Interactive Client Credentials flow.