Access token missing aud for userinfo endoint

connormckelvey · April 18, 2023, 3:38pm

I have 1 tenant with 2 applications (foo-app and bar-app) and 2 APIs (foo-api and bar-api), both applications and APIs are configured basically identically with the exception of the token signing methods.

foo-app/foo-api uses RS256
bar-app/bar-api uses HS256

When logging in with foo-app and providing an audience of foo-api, I’m able to get an access token that has two audiences embedded

foo-api
{myDomain}/userinfo

When logging in with bar-app and providing an audience of bar-api, I’m able to get an access token, but it only includes 1 audience: bar-api.

I would like to be able to get an access token from bar-app with both audiences:

bar-api
{myDomain/userInfo}

ty.frith · April 18, 2023, 10:44pm

Hello @connormckelvey welcome to the community!

This is expected behavior - Tokens signed HS256 will not include the /userinfo audience, only RS256 will. Userinfo will accept opaque access tokens and RS256 tokens with the userinfo audience.

Hope this helps to clarify!

Topic		Replies	Views
Not able to access /userinfo from created API Get Help access-token-userinf	5	5974	March 2, 2018
OPError: invalid_token (The access token signature could not be validated Get Help apis , application	8	2524	March 23, 2023
Multiple Audience Get Help auth0 , api , python	4	2779	August 3, 2022
Right way to call userinfo Get Help userinfo , access-token , token-endpoint , authorize-endpoint	2	13203	March 2, 2018
Audience value in returned Bearer token JWT is a list Get Help userinfo , password , access_token , audience , access-token	2	7804	March 2, 2018

Access token missing aud for userinfo endoint

Related topics