We currently are trying to start working with Auth0, and have the following situation:
- we use a custom domain “https://login.baz.com”
- we have an API (ASP.NET Core) and a SPA (React)
- both are registered in Auth0, the API with an identifier “https://foo.bar.com”
- the React app makes a login call to Auth0 using auth0.js, with the following options:
auth0 = new auth0.WebAuth({
domain: “https://login.baz.com”,
clientID: superinterestingclientid,
audience: “https://foo.bar.com”,
responseType: “token id_token”,
scope: “openid”
});
When we receive the authResult from Auth0, it looks as follows:
{
“iss”: “https://login.baz.com/”,
“sub”: “auth0|1234567890”,
“aud”: [
“https://foo.bar.com”,
“https://ourtenantname.eu.auth0.com/userinfo”
],
“iat”: 1542895049,
“exp”: 1542902249,
“azp”: “alsosuperinteresting”,
“scope”: “openid”
}
I understand the audience field from the JWT can be validated by the API to match its own configured valid audience; I also think I understand the second audience (https://ourtenantname.eu.auth0.com/userinfo) exists so we can use the access token to make calls to the Auth0 Management API. However, we’re currently not looking to make calls to the Auth0 Management API, and are not really keen to see the tenant name show up in the audience list in the access token.
So my probably super-stupid question: is there some way to ensure the access token only contains the given audience, “https://foo.bar.com”?
Thanks!