AccessTrace AI
Log inCreate account
Sample Analysis Report

OIDC token audience and expiration issue

OIDC · oidc_jwt · discovery · jwks · SAMPLE

ConfidenceMEDIUMSample assessment
Suspected Issue

OIDC token does not appear valid for the application

2 findings
What this is

This is an example report using sample evidence. It shows the kind of output AccessTrace generates after a user analyzes their own redacted evidence.

Analyze your own evidence
Sample report actions

Copy sample language

These actions show the kind of ticket and vendor language a saved report can produce.

Technical Findings

What AccessTrace would flag

1

JWT is expired

HIGHHIGH confidence

The token expiration time has passed. Applications should reject expired ID/access tokens.

Recommended remediation

Retest with a fresh login and confirm clock synchronization across client, IdP, and application.

Sample evidence
  • exp: 1715900000
  • Current time is after token expiration
2

JWT audience appears suspicious

HIGHMEDIUM confidence

The audience claim appears to reference a different client/application than the one consuming the token.

Recommended remediation

Confirm the app's configured client ID and expected audience value.

Sample evidence
  • Token aud: api://old-client-id
  • Expected app client ID: access-trace-demo-client
Sample Generated Report

Troubleshooting narrative

Executive Summary The OIDC token evidence points to token validation failure. The token appears expired and the audience value does not appear to match the consuming application. Most Likely Root Cause The application may be configured with the wrong client ID/audience, or the user/session is presenting a stale token from a previous configuration. Recommended Next Step Confirm issuer, client ID, audience, redirect URI, token lifetime, and JWKS key material. Retest with a fresh login.