The correct process using Fusion Auth, to make our API C accept tokens from both App A and App B without creating security issues

marcos.muller

1. When App A login an user, it receives a JWT token with the audience being AppA and

2. When App B login an user, it receives a JWT token with the audience being AppB.

3. The API is not part of App A nor App B, meaning, it has its own audience, let's imagine here, ApiC. The only way we managed to get this working today is setting up Api C to ignore the validation of the audience OR have a way to define which audiences are valid for the API.

QUESTION
What is the correct process using Fusion Auth, to make our API C accept tokens from both App A and App B without creating security issues?

joshua

@marcos-muller,

Welcome to the FusionAuth community!

It sounds like you want access tokens from APP A + B to be read and accepted by APP C. Is that correct?

If so, I would recommend exploring Single Sign On.

• SSO blog article.
• SSO from our documentation

I hope this helps!

Thanks,
Josh

joshua

Hi @marcos-muller,

After discussing this further with my colleagues, I may have given you misguided information.

SSO will enable seamless login in between applications, but if you are working with aud claims you will want to access the JWT populate lambda functionality and add the corresponding API id to the aud claim.

More info can be found here

• https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate/
• https://fusionauth.io/docs/v1/tech/lambdas/

I hope this helps!

Thanks,
Josh