From 67d92bedd03b9b5f1fc4ba6b6b59c2ef28e43ea2 Mon Sep 17 00:00:00 2001
From: Harshavardhan Musanalli <harshavmb@gmail.com>
Date: Sun, 10 Aug 2025 15:54:01 +0200
Subject: [PATCH] Added more details about Zitadel SSO_AUDIENCE_TRUSTED

---
 Enabling-SSO-support-using-OpenId-Connect.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Enabling-SSO-support-using-OpenId-Connect.md b/Enabling-SSO-support-using-OpenId-Connect.md
index 86b99b0..003e91b 100644
--- a/Enabling-SSO-support-using-OpenId-Connect.md
+++ b/Enabling-SSO-support-using-OpenId-Connect.md
@@ -236,7 +236,9 @@ To obtain a `refresh_token` to be able to extend session you'll need to add the
 
 Additionally Zitadel include the `Project id` and the `Client Id` in the audience of the Id Token.
 For the validation to work you will need to add the `Resource Id` as a trusted audience (`Client Id` is trusted by default).
-You can control the trusted audience with the config `SSO_AUDIENCE_TRUSTED`
+You can control the trusted audience with the config `SSO_AUDIENCE_TRUSTED`.
+
+According to [Zitadel#9200](https://github.com/zitadel/zitadel/issues/9200), `id_token` passes a list of trusted audiences including the `Project Id`. If you end up having many trusted `aud` strings, `SSO_AUDIENCE_TRUSTED`, may become unmanageable. In such cases, `SSO_AUDIENCE_TRUSTED: '^\d{18}$'` (18 is the size of each string in `aud` list, it may differ depending on your Zitadel implementation) would help you but it's safe to individually add all the `aud` strings like `SSO_AUDIENCE_TRUSTED: '^abcd|def|xyz$'`. 
 
 Since [zitadel#721](https://github.com/zitadel/oidc/pull/721) PKCE should work with client secret.
 But older versions might have to disable it (`SSO_PKCE=false`).