JWT returned to callback has incorrect aud (audience)

I am using angular2-jwt to initially authenticate, and then passing the id_token to my server to authenticate against my REST API. When auth0 redirects back to my angular app with the JWT, it seems to be passing an incorrect aud (audience) in the JWT. My server rejects the JWT due to validation errors with the audience. The audience I requested was by Auth0 identifier (http://XXX.YYY.com/api). The aud returned when I inspect the JWT with jwt.io is mpXWwpAOBTt5aUM1SE2q5KuUtr4YvUE9. Why is the aud being returned with the incorrect value?

2 Likes

Yes, the audience for an id_token will be the Client ID for the Client to which the id_token was issued.

The audience for your access_token will be for the API Identifier (“http://XXX.YYY.com/api”). You should be sending the access_token to authenticate requests to your API Server

Please see the following docs understand the difference between and usage of the two:

Also, see this section of the Angular Quickstart:
https://auth0.com/docs/quickstart/spa/angular2/03-calling-an-api

1 Like

Wow. Not sure what changed. I was trying to use “access_token” at one point. But, the access_token didn’t look like a JWT. It was short, something like “xyasdfk_kjfdsa234”. Now, when I look again, it is much longer, and looks like a properly formatted JWT. Again, not sure what changed, but thanks for having me look again!

If you do not pass an audience parameter, then the access_token being returned will be short like you mentioned. So I think what changed was that at some point you did not pass an audienceparameter and then, later on, you changed your app to pass it.

1 Like

I know I’ve always sent an audience in my original request. However, I later realized that the audience was incorrect. So I changed it.

Is it correct behavior that if an incorrect audience is passed, the access_token will be very small (like previously mentioned)?

I am not sure. Perhaps if the audience is invalid (i.e. there is no API Identifier with that value), then it is the same as sending no audience.