Audience yes, no, why?

sebastian.richter · March 11, 2021, 3:03pm

Hello guys,

for months now I have been using the auth0-spa-js SDK with my dev tenant and my dev application for login.

     await createAuth0Client({
        domain: 'my-domain',
        client_id: 'xyz012',
        audience: undefined, // remember this, it says it is optional
        redirect_uri: redirectUri,
        cacheLocation: 'memory',
        useRefreshTokens: true,
      })

The documentation of the SDK https://auth0.github.io/auth0-spa-js/interfaces/auth0clientoptions.html#audience says audience is optional, so setting it to undefined should be no problem, right? Yeah it works! I login and get a real jwt access token.

Now here is the kicker. Today I finally deployed to production using my auth0 production tenant and application. Remember audience is still undefined! Yeah no problem, right? Wrong! Getting unauthorized exceptions from my API now. What the frick? The reason for this is, that I now get an opaque access token in production tenant after login! Googled a bit and found this Why is my access token not a JWT? (Opaque Token). And it says you have to send a audience to get a real jwt token, right?

So now I am totally confused why its working on one tenant without audience and on one it doesn’t.

What could be the problem? Do you have any ideas? Am I the problem?

dan.woda · March 11, 2021, 5:30pm

Hi @sebastian.richter,

It is optional, but you shouldn’t return a JWT if there isn’t a registered audience as the param.

In the application that is returning a JWT, what is the aud claim? Undefined?

jawineinger · March 11, 2021, 8:19pm

If you decode a JWT from your first tenant, does it have an aud claim set to anything?

Also, under your tenant settings > General > API Authorization Settings, there is a “Default Audience” setting. You may want to check if you have something there for your first tenant and not for your second.

dan.woda · March 11, 2021, 8:32pm

That’s a great point @jawineinger, it could be a default audience that is allowing you to get a JWT. The aud will show us what is going on.

cibrax · March 11, 2021, 8:34pm

No audience is really a bad idea. Anyone can get a token from the same Authorization Server for any other API and use it with yours. The audience is a first layer of defense against that attack.

sebastian.richter · March 12, 2021, 9:00am

@jawineinger @dan.woda There you go! Indeed in my dev tenant there was a default audience set. I always forget to look in there. So all good. I was the problem :).

Final question. Am I fine using the default audience or is it better to always define the audience in my app (I just have one audience)?

dan.woda · March 12, 2021, 4:35pm

@sebastian.richter

If every access token is designated for the same API (audience) then you should be okay using the default audience.

Topic		Replies	Views
Access Token is opaque even sending audience Get Help	2	1628	July 13, 2022
Making a request for id token in oauth/token with audience returns unexpected aud value JWT.io	3	2644	April 17, 2025
Passed Audience is automatically overwritten during /authorize Get Help apis , application	3	1781	December 9, 2022
createAuth0Client ignores passed in Audience. Generates JWT with audience of access_token Get Help angular , jwt , auth0 , spa , auth0-spa-js	4	4553	March 4, 2020
Authorization code flow returns opaque token instead of JWT even though audience is set Get Help jwt , api	10	5635	November 26, 2021

Audience yes, no, why?

Related topics