I noticed that to gain API access you have to set the audience with the first authorization request. Even if you’re using the Authorization Code Flow. As OpenIdConnectOptions doesn’t suppor that - the ASP.NET Core samples for storing the tokens aren’t working properly.
Is there a way to configure the Client in Auth0 to NOT require the Audience to grant an access token when trading the authorization code?
It’s not part of the OAuth2 RFC’s or OIDC, it’s a provider specific parameter (which in the OAuth2 world is nothing that uncommon). It’s needed as a way to know to which API the access token is meant to be issued. You can configure a default audience in your account settings which would mean you would not have to actually pass the parameter in the request as it would be implied from the global setting.