I followed the guide here successfully and received an access token. The only change I had to make was to pass in an audience parameter to authorize(). Auth0 Expo SDK Quickstarts: Login
However, the access token I get doesn’t appear to be signed as when I try to verify it using the secret key found at:
Applications → My App → Settings tab → Advanced Settings → Certificates → Signing Certificate
It fails to verify it. Weird part is that the right access token is generated when I use the express-openid-connect method using my Express app, where I specify the following:
auth({
idpLogout: true,
issuerBaseURL: process.env.AUTH0_ISSUER_BASE_URL,
baseURL: process.env.BASE_URL,
clientID: process.env.AUTH0_CLIENT_ID,
secret: process.env.SESSION_SECRET,
clientSecret: process.env.AUTH0_CLIENT_SECRET,
authRequired: false,
auth0Logout: true,
idTokenSigningAlg: "RS256",
authorizationParams: {
scope: "openid profile email",
response_type: "code",
response_mode: "form_post",
audience: "punchline/api",
},
});
I obviously can’t pass things like process.env.AUTH0_CLIENT_SECRET from my iOS app as secrets shouldn’t be stored on the client side, but I’m wondering why the properly signed access token is generated with express-openid-connect, but fails using Expo.