Verification of ApplicationID in JWT

Does the AuthService bundled with the SDK validate the ApplicationID in the JWT against the ApplicationID supplied in the LedgerAPI Command?

The Authorizer seems to ignore it: https://github.com/digital-asset/daml/blob/878429e3bf07b09e727224d5dc423444d071a95b/ledger/ledger-api-auth/src/main/scala/com/digitalasset/ledger/api/auth/Authorizer.scala#L29

You are absolutely right, this is a bug. Thanks to @Robert_Autenrieth for looking into this.

I’m opening a ticket to track this.

Tracked by Authorization ignores the application identifier in the token · Issue #5683 · digital-asset/daml · GitHub.

Thanks for raising this.