Audience yes, no, why?

Hello guys,

for months now I have been using the auth0-spa-js SDK with my dev tenant and my dev application for login.

     await createAuth0Client({
        domain: 'my-domain',
        client_id: 'xyz012',
        audience: undefined, // remember this, it says it is optional
        redirect_uri: redirectUri,
        cacheLocation: 'memory',
        useRefreshTokens: true,
      })

The documentation of the SDK Auth0ClientOptions | @auth0/auth0-spa-js says audience is optional, so setting it to undefined should be no problem, right? Yeah it works! I login and get a real jwt access token.

Now here is the kicker. Today I finally deployed to production using my auth0 production tenant and application. Remember audience is still undefined! Yeah no problem, right? Wrong! Getting unauthorized exceptions from my API now. What the frick? The reason for this is, that I now get an opaque access token in production tenant after login! Googled a bit and found this Why is my access token not a JWT? (Opaque Token). And it says you have to send a audience to get a real jwt token, right?

So now I am totally confused why its working on one tenant without audience and on one it doesn’t.

What could be the problem? Do you have any ideas? Am I the problem?

Hi @sebastian.richter,

It is optional, but you shouldn’t return a JWT if there isn’t a registered audience as the param.

In the application that is returning a JWT, what is the aud claim? Undefined?

If you decode a JWT from your first tenant, does it have an aud claim set to anything?

Also, under your tenant settings > General > API Authorization Settings, there is a “Default Audience” setting. You may want to check if you have something there for your first tenant and not for your second.

1 Like

That’s a great point @jawineinger, it could be a default audience that is allowing you to get a JWT. The aud will show us what is going on.

No audience is really a bad idea. Anyone can get a token from the same Authorization Server for any other API and use it with yours. The audience is a first layer of defense against that attack.

@jawineinger @dan.woda There you go! Indeed in my dev tenant there was a default audience set. I always forget to look in there. So all good. I was the problem :).

Final question. Am I fine using the default audience or is it better to always define the audience in my app (I just have one audience)?

1 Like

@sebastian.richter

If every access token is designated for the same API (audience) then you should be okay using the default audience.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.