Auth0 Home Blog Docs

Access tokens with multiple audiences

jwt
auth0
api
audience

#1

Hi!

We are managing 3 different APIs, all which are managed under the same Auth0 tenant, but they are decoupled and located at different hosts. All APIs are defining different scopes, etc. To exemplify let’s call them api.foo.com and api.bar.com and api.baz.com. When we log in using Auth0, the aud property (which can be an array) when targeting the Foo API is being set to e.g. https://api.foo.com. All of the APIs are secured by a shared IDP, so the users will have the same username/password for all 3 APIs.

Some of our client applications consuming the APIs will be required to access all 3 APIs.

One way to accomplish this is to require the client application to log in to each API separately. This implies the requiring the user to login 3 different times, which would result in 3 different access tokens. However, that would be a pretty lame user experience. :japanese_goblin:

What we instead would like is to log in to all 3 APIs simultaneously, so that the aud property in the resulting access token would become something like:
`[“api.foo.com”, “api.bar.com”, “api.baz.com”]

The access token would then become usable against all 3 APIs.

1) Is there a way to accomplish this with Auth0?

The authorization request looks something like this:
https://our-auth0-tenant.eu.auth0.com/authorize?
audience=api.foo&
scope=read write&
response_type=token&
client_id={account.clientId}&
redirect_uri=https://OUR_APP/callback&
nonce={CRYPTOGRAPHIC_NONCE}
state={OPAQUE_VALUE}

…one can only target one audience.

  1. Is it possible to use Auth0 rules to manipulate the aud property?

  2. Another option that we’re looking into is to create Auth0 APIs with “constructed” audiences, like api.foo+api.bar+api.baz and then manage access on a more fine-grained basis using scopes. However, if we would very much like to avoid this…

Appreciate any help or comments!


#2

Auth0 doesn’t support multiple audiences. It’s also not possible to change the aud parameter via a rules and it likely wouldn’t be secure to do so.

You should instead use scopes to represent multiple APIs while using a single audience.


#3

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.