nimbolus · lu1as · Oct 13, 2025
diff --git a/docs/auth.md b/docs/auth.md
@@ -41,9 +41,10 @@ JWT allow granting access to a state for a given time (the token lifetime). The
 NOTE: `state` value can be set to `*` to allow accessing all project states
 
 ### Config
-| Environment Variable     | Type | Example                                      | Description                                                                       |
-|--------------------------|------|----------------------------------------------|-----------------------------------------------------------------------------------|
-| AUTH_JWT_OIDC_ISSUER_URL | bool | `https://vault.example.com/v1/identity/oidc` | Issuer URL which is used to validate token (if not defined, JWT auth is disabled) |
+| Environment Variable     | Type   | Example                                      | Description                                                                       |
+|--------------------------|--------|----------------------------------------------|-----------------------------------------------------------------------------------|
+| AUTH_JWT_OIDC_ISSUER_URL | bool   | `https://vault.example.com/v1/identity/oidc` | Issuer URL which is used to validate token (if not defined, JWT auth is disabled) |
+| AUTH_JWT_OIDC_CLIENT_ID  | string | `terraform-backend` (Default)                | Client ID (string or URI) used for validating token audience claim                |
 
 
 **Example Terraform backend configuration**

diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
@@ -32,12 +32,14 @@ func Authenticate(req *http.Request, s *terraform.State) (ok bool, err error) {
 		authenticator = basic.NewBasicAuth()
 	case jwt.Name:
 		issuerURL := viper.GetString("auth_jwt_oidc_issuer_url")
+		viper.SetDefault("auth_jwt_oidc_client_id", "terraform-backend")
+		clientID := viper.GetString("auth_jwt_oidc_client_id")
 		if addr := viper.GetString("vault_addr"); issuerURL != "" && addr != "" {
 			issuerURL = fmt.Sprintf("%s/v1/identity/oidc", addr)
 		} else {
 			return false, fmt.Errorf("jwt auth is not enabled")
 		}
-		authenticator = jwt.NewJWTAuth(issuerURL)
+		authenticator = jwt.NewJWTAuth(issuerURL, clientID)
 	default:
 		err = fmt.Errorf("backend is not implemented")
 	}

diff --git a/pkg/auth/jwt/jwt.go b/pkg/auth/jwt/jwt.go
@@ -12,11 +12,13 @@ const Name = "jwt"
 
 type JWTAuth struct {
 	issuerURL string
+	clientID  string
 }
 
-func NewJWTAuth(issuerURL string) *JWTAuth {
+func NewJWTAuth(issuerURL string, clientID string) *JWTAuth {
 	return &JWTAuth{
 		issuerURL: issuerURL,
+		clientID:  clientID,
 	}
 }
 
@@ -31,7 +33,7 @@ func (b *JWTAuth) Authenticate(secret string, s *terraform.State) (bool, error)
 	}
 
 	verifier := provider.Verifier(&oidc.Config{
-		SkipClientIDCheck: true,
+		ClientID: b.clientID,
 	})
 
 	token, err := verifier.Verify(context.Background(), secret)