I noticed that to gain API access you have to set the audience with the first authorization request. Even if you’re using the Authorization Code Flow. As OpenIdConnectOptions doesn’t suppor that - the ASP.NET Core samples for storing the tokens aren’t working properly.
Is there a way to configure the Client in Auth0 to NOT require the Audience to grant an access token when trading the authorization code?
You should be able to add additional parameters using an approach similar to the following:
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions()
{
// Other configuration and standard parameters
// ...
Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.SetParameter("audience", "https://api.example.com/");
return Task.FromResult(0);
}
}
});
Yep. But why is that required? Is that specified in any of the RFCs? Also, why is there no setting on the Client to disable it?
It’s not part of the OAuth2 RFC’s or OIDC, it’s a provider specific parameter (which in the OAuth2 world is nothing that uncommon). It’s needed as a way to know to which API the access token is meant to be issued. You can configure a default audience in your account settings which would mean you would not have to actually pass the parameter in the request as it would be implied from the global setting.