I have 1 tenant with 2 applications (foo-app and bar-app) and 2 APIs (foo-api and bar-api), both applications and APIs are configured basically identically with the exception of the token signing methods.
foo-app/foo-api uses RS256
bar-app/bar-api uses HS256
When logging in with foo-app and providing an audience of foo-api, I’m able to get an access token that has two audiences embedded
foo-api
{myDomain}/userinfo
When logging in with bar-app and providing an audience of bar-api, I’m able to get an access token, but it only includes 1 audience: bar-api.
I would like to be able to get an access token from bar-app with both audiences:
This is expected behavior - Tokens signed HS256 will not include the /userinfo audience, only RS256 will. Userinfo will accept opaque access tokens and RS256 tokens with the userinfo audience.