Question about verify_client_id: Why verify against aud instead of cid?

[ghodsizadeh]

https://github.com/okta/okta-jwt-verifier-python/blame/ba7791d64ac3827b2bd6178304f08bde0113fc5d/okta_jwt_verifier/jwt_verifier.py#L144

Hi Okta team,

I was reviewing the verify_client_id function and noticed that it verifies the client_id against the aud (audience) claim:

    def verify_client_id(self, aud):
        """Verify client_id match aud or one of its elements."""
        if isinstance(aud, str):
            if aud != self.client_id:
                raise JWTValidationException('Claim "aud" does not match Client ID.')
        elif isinstance(aud, list):
            for elem in aud:
                if elem == self.client_id:
                    return
            raise JWTValidationException('Claim "aud" does not contain Client ID.')
        else:
            raise JWTValidationException('Claim "aud" has unsupported format.')

I wanted to clarify the design decision here. Shouldn't the function check the cid claim instead of aud when verifying the client ID?

  "aud": "api://default",
  "iat": 1748597344,
  "exp": 1748600944,
  "cid": "0oa***",

From what I understand:

In ID tokens, aud typically is the client ID, so this check makes sense.

But in Okta access tokens, aud refers to the API/resource server, and the client ID appears as a cid claim.
Could you please confirm:

Is this verifier intended strictly for ID tokens?

If so, then checking aud == client_id makes sense.

If access tokens are also supported, should cid be verified instead?

[ghodsizadeh]

I see there is another issue
#76
and a PR:
552c38a