OIDC troubleshooting guide
OIDC invalid_audience: what it means and how to troubleshoot it
An OIDC invalid_audience error means the ID token or access token was not issued for the application that is trying to consume it.
Common symptoms
- Authentication succeeds at the identity provider but the application rejects the token.
- Application logs show invalid_audience, audience mismatch, or client ID mismatch.
- The token aud claim references a test or staging client while the app expects production.
Evidence to collect
- Decoded ID token payload with aud, iss, exp, and sub claims.
- Application client_id configuration.
- IdP OIDC client ID for the environment being tested.
- Issuer and discovery document URL.
Common causes
- Application is using the wrong client ID.
- The IdP is issuing a token for the wrong OIDC client.
- A production app is connected to a test IdP client or discovery document.
How to fix or triage it
- Compare the expected client_id with the token aud claim.
- Confirm the issuer and discovery URL belong to the same environment.
- Update application and IdP settings so client ID, issuer, and audience align.
How AccessTrace AI helps
- Flags audience and client ID mismatches from plain text or decoded JWT evidence.
- Identifies test/staging/production mixing.
- Produces a concise remediation summary for app owners or vendors.
Example evidence
Expected client_id: vendor-portal-prod Token aud claim: vendor-portal-test Expected issuer: https://sso.example.edu/oauth2/default Actual issuer: https://sso-stage.example.edu/oauth2/default
Turn messy access evidence into a report
Paste sanitized SSO, directory, certificate, or access-policy evidence into AccessTrace AI and generate findings, remediation steps, vendor questions, and ticket-ready language.
Start with the free plan