Audience Validation for Private Key JWT Client Authentication

When validating JWT assertions used for client application authentication, Auth0 will impose stricter requirements and accept only a tenant's issuer identifier as a single JSON string value in the "aud" (audience) claim.

The possibility of providing an "aud" claim with either one of the approaches listed below is deprecated, and at a future date will cause the service to consider such JWT assertions invalid:

• A JSON array of strings, provided that one of the entries contains a valid issuer identifier or endpoint URL for the respective tenant and endpoint the client authenticates against.
• A single JSON string representing a valid endpoint URL for the respective tenant and endpoint the client authenticates against.

OIDC enterprise connections configured to use Private Key JWT in authenticated requests to the upstream identity provider will also be able to use the applicable issuer identifier represented as a JSON string in the "aud" claim included in JWT assertions.

We have provided additional information and timelines for enforcing this change across tenants through a dashboard and support center notification.