The /userinfo endpoint can be called either with an opaque access token that is specifically aimed for this purpose (currently, you could distinguish these because they are represented as 16 characters in length) or with an access token in the JWT format.
When the access token is in the JWT format, the token must list https://[your_account].auth0.com/userinfo as an audience aud in order for it to be valid to call the /userinfo endpoint.
The access token you’re using does not meet this requirement as it only lists a different API as a valid audience. When you specify an audience parameter for an endpoint other than the user information one, you need to consider that /userinfo will only be included as an additional audience if the following occurs:
the API specified in the audience parameter does not use HS256 as the signing algorithm.
you specify a scope parameter that includes openid.
Based on the information you provided you seem to be correctly asking for the openid scope. It’s not clear which signing algorithm the API you used as audience is using as you did not include the header component of the issued access token. However, if the API uses HS256 then that’s the explanation for why you don’t get an audience valid for /userinfo.
I have the same problem. I have declared my own API and I am using /authorize with email/password and my own API as audicence, since I need an access token valid for my own API.
In the responseType I specify token and id_token, I get back both but neither work since the audience is my own API or the client id.
I am not sure on what to do, am I expected to login to auth0’s API too? It gets a bit complex…
I’ve just tried /api/v2/users/ID which returns me all profile data I need. I’m also about to try an update. I don’t know exactly what api I can use with this token, since the api explorer can’t get scopes out of it. Which is also confirmed if I put the token in jwt.io, there are no defined scopes.
Hi, I am experiencing the same problem. I am using lock10 to authroize an audience api that is RS256 and I have openid as scope, but the resulting token still not list /userinfo as one of the audiences along side my api