Auth0 configuration audience

I just found out that I have a problem with auth0 and it relates to the auth0 configuration audience. So when I explicitly write the audience, the JWT verification failed with error The provided Algorithm doesn't match the one defined in the JWT's Header. When I don’t write the audience, everything will work fine, except now everytime the token expire and user click on login link it skip the login process and immediately logged in with the previous credential. I don’t want this to happen, I want user to still authenticate themselves again after token expire, just like when I write the audience.

So what is audience and why does it affect the behaviour like this?

And How can I fix it to get the behaviour I wanted?

Below is the configuration of the Auth0

auth0 = new auth0.WebAuth({
        clientID: environment.auth0ClientId,
        domain: environment.auth0Domain,
        responseType: 'token id_token',
        //Below is the audience I'm talking about
        audience: '${constants.MY_APP}/userinfo',
        redirectUri: `${constants.ORIGIN_URL}/auth`,
        scope: 'openid email'
    });

I need to know how I can make the JWT to be verified correctly as well as make the login behaviour correctly when the JWT expire.

Hello @andre.hermanto93,

If you want to force the user to do a full login when their token has expired, I believe you need to set your SSO session timeout to be the same as your JWT expiration. Otherwise when the JWT expires the SSO session will still be active and the user will be issued a new token.

For the access token, if you do not specify an audience, you will get an opaque token instead of a JWT, which may be where your Algorithm doesn't match error is coming from.

1 Like

@markd But that would have different behaviour, if I force logout with SSO session timeout. I woudn’t be able to see login window with “Last time you logged in with” if I force logout.

Also the token I got when I explicitly write audience is RSA256, while the backend verify HSA256. Is there any way for me to get HSA256 token when I explicitly write the audience?

Hi @andre.hermanto93. My apologies, I thought you wanted to force a full login after the token expires. If you want the ‘last time you were logged in with’ prompt, and depending on the age of your tenant, I believe you need to use the prompt=login option per this post:

For the signing algorithm, it is strongly suggested to use RS256, which uses PKI instead of a shared a secret. In fact, I believe RS256 is mandatory if your want to use JWTs instead of opaque tokens.

@markd Not sure what I did wrong, but adding this.auth0.authorize({prompt: 'login'}); still skip the ‘last time you were logged in with’ prompt.

Does you tenant have the “Seamless SSO” option (under Settings → Advanced → Log In Session Management)?

Nope

Hello @andre.hermanto93.

Just looking back at your previous messages. It’s not completely clear to me what you are trying to achieve. In the screenshot above you have seamless SSO disabled, which should cause the ‘Last time you logged in with’ prompt to appear.

I’m certainly not an expert with auth0.js, but I don’t think you need to specify an audience when initializing the connection. The examples at the link below might be helpful:

@markd thank you for your quick response. I just want to have the prompt to appear, and I already tried what you suggest which includes adding the prompt = login parameter and I discard the audience. But it still doesn’t show the ‘Last time you logged in with’ prompt.

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?