Auth0 Home Blog Docs

Audience required for API Access and ASP.NET Core Samples not working

aspnet-core

#1

I noticed that to gain API access you have to set the audience with the first authorization request. Even if you’re using the Authorization Code Flow. As OpenIdConnectOptions doesn’t suppor that - the ASP.NET Core samples for storing the tokens aren’t working properly.

Is there a way to configure the Client in Auth0 to NOT require the Audience to grant an access token when trading the authorization code?


#2

You should be able to add additional parameters using an approach similar to the following:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions()
{
    // Other configuration and standard parameters
    // ...
    Events = new OpenIdConnectEvents
    {
        OnRedirectToIdentityProvider = context =>
        {
            context.ProtocolMessage.SetParameter("audience", "https://api.example.com/");

            return Task.FromResult(0);
        }
    }
});

#3

Yep. But why is that required? Is that specified in any of the RFCs? Also, why is there no setting on the Client to disable it?


#4

It’s not part of the OAuth2 RFC’s or OIDC, it’s a provider specific parameter (which in the OAuth2 world is nothing that uncommon). It’s needed as a way to know to which API the access token is meant to be issued. You can configure a default audience in your account settings which would mean you would not have to actually pass the parameter in the request as it would be implied from the global setting.


#5