<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y000063FZVaSAOOkta Classic EngineOkta Integration NetworkAnswered2024-04-15T12:39:10.000Z2019-03-14T21:34:54.000Z2019-03-20T20:45:12.000Z

j09ie (j09ie) asked a question.

March 14, 2019 at 9:34 PM
Recommended auth_token behavior for multiple apps?

Hi

I have created separate Applications to give production and staging versions of an application different user lists. Both OpenID auth loops product an auth_token Cookie in the *.blah.com domain. Now we have a situation where the auth_token from prod is wrongly accepted by staging. If I attempt to check the jwt audience and reauth, I seem to get the prod cookie regardless and fall into an endless loop. So I am wondering. Is it reasonable to use Okta Apps for coarse authorization like this ? Is jwt_ audience the correct value to key off of? Should auth_tokens be constrained to tighter domain/host? Any other advice?

 

Thanks

Alex Mouton

  • 1 answer
  • 671 views

  • dragos.gaftoneanu1.5193128389903699E12 (Okta, Inc.)

    Hi Alex,

     

    The issue here seems to be from a misconfiguration in the JWT verifier. Can you please check that you are correctly receiving the signing keys from preview environment and checking them on the JWT token header and signature sections?

     

    Dragos Gaftoneanu

    Developer Support Engineer

    Okta Global Customer Care

    Expand Post

Loading
Recommended auth_token behavior for multiple apps?