401, Bearer error="invalid_token", The audience is invalid


I am developing a web application using asp .net core and React with auth0. So far, I’ve had no issues with setting up the spa-client and the api. However, I am facing the following issue when calling my api: “401, Bearer error=“invalid_token”, The audience is invalid”.

I’ve used this guide to set up server authorization:

I’ve tried following this guide in order to send the access token and test the authorization:

I’ve also tried reading through similar topics and none of the solutions have helped.

Here is the auth0 setup in my appsettings.json:
“Auth0”: {
“Domain”: “https://dev-********.us.auth0.com/”,
“Audience”: “https://localhost:44350/api

Here is the setup in my index.js file

I am using axios to send my request. Here is how I acquired the token and created the authorization header:

const { getAccessTokenSilently } = useAuth0();
const token = await getAccessTokenSilently();
const axiosConfig = {
headers: { Authorization: Bearer ${token} }

When executing a put request, these are the headers:

And this is the response:

The only thing that seems out of the ordinary is that there are two audiences inside of the token. I’m not sure why the ‘https://…/userinfo’ keeps getting added and whether that is the problem. If so, please provide me with an answer on how to fix this issue.

Sorry for the long message, I wanted to make sure I have provided all the required information. Please let me know if you need anything else.

Looking forward to the reply,

Hi @bvlasonjic , welcome to the community!

The userinfo audience is added if you include openid in the scope of the authorize request.

Unfortunately I found that the openid scope is always applied when using the React SDK, and it cannot be removed from the default scopes:

However, I did find this SO post that showed a potential workaround to allow more than one audience to be validated within the ASP.NET core configuration:

Thank you for the quick reply @sgo !

Thank you for the provided information. After spending hours of hitting my head against a wall, I decided it would be easier to post a question here. Should I have kept hitting my head a little longer it probably would have occurred to me to google out something for those 2 audiences and I would have probably found that post.

Either way, thank you very much, the workaround within the asp .net core configuration solved the problem. Hopefully, this post will help someone else as well.

Keep up the good work and best of luck to you!

1 Like

Perfect! Glad to hear that!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.