Auth Server and Audience Base URL can be the same?

aamuzakii · February 20, 2024, 10:57am

I’m currently investigating a legacy project and came across an unusual snippet where the authentication server base URL and the audience base URL are identical. My understanding is that this is typically not allowed unless we are self-hosting Auth0, which is not an option in this case. Are there any scenarios where the provided code could be valid?

export async function getOauthToken(): Promise<Objects.Auth0TokenPayload> {
    const options = {
        method: 'POST',
        url: 'https://' + authvalues.DOMAIN + '/oauth/token',
        headers: { 'content-type': 'application/json' },
        json : true,
        body: {
            client_id : authvalues.API_CLIENTID,
            client_secret : authvalues.API_CLIENTSECRET,
            audience : 'https://' + authvalues.DOMAIN + '/api/v2/',
            grant_type : 'client_credentials',
        },
    };

    const resp = request.post(options) as unknown;

More clue: nodejs that serve an angular front end (run in same port)

Thank you for your assistance.

tyf · February 24, 2024, 1:15am

Hey @aamuzakii welcome to the community!

This looks to me like code to obtain a management API access token for which is it valid as far as I can tell.

aamuzakii · February 24, 2024, 2:27pm

Thanks, I just realize it. We cannot create API with identifier pointing to auth0 domain, but there’s already existing API using such identifier, i.e. the Managemen API

system · March 9, 2024, 2:28pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.