Access token missing aud for userinfo endoint

I have 1 tenant with 2 applications (foo-app and bar-app) and 2 APIs (foo-api and bar-api), both applications and APIs are configured basically identically with the exception of the token signing methods.

  • foo-app/foo-api uses RS256
  • bar-app/bar-api uses HS256

When logging in with foo-app and providing an audience of foo-api, I’m able to get an access token that has two audiences embedded

  1. foo-api
  2. {myDomain}/userinfo

When logging in with bar-app and providing an audience of bar-api, I’m able to get an access token, but it only includes 1 audience: bar-api.

I would like to be able to get an access token from bar-app with both audiences:

  1. bar-api
  2. {myDomain/userInfo}

Hello @connormckelvey welcome to the community!

This is expected behavior - Tokens signed HS256 will not include the /userinfo audience, only RS256 will. Userinfo will accept opaque access tokens and RS256 tokens with the userinfo audience.

Hope this helps to clarify!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.