I’m trying to request an access token for an api using the authorization code flow. I’m using Postman’s built in access token getter. The application it’s authenticating for is an SPA. I have all the urls set and also an audience, but it receives an opaque token instead of a JWT. The Auth0 docs say a JWT should be returned if I request an audience.
I understand that you’ve been obtaining an opaque token instead of a JWT access token.
Yes, that is correct. You will need to specify the audience parameter to get a JWT access token. Without specifying an audience parameter will return an opaque token with the information from the /userinfo endpoint. This is consistent with our Control Access Token audience documentation.
I have just tested this myself and can confirm that including the audience returns a JWT token, whereas excluding the audience returns an opaque token. This is working as expected.
In this case, I recommend that you make sure that the /authorize request when using Postman recognizes the audience parameter or the changes you made to your request.
In this request, please specify the audience parameter with your API identifier. Then in the response, you’ll obtain an authorization code that will allow you to use with the /oauth/token endpoint to obtain the Access Token as a JWT.
I’ll take your word that Auth0 is handling the requests correctly. It seems to be an issue with Postman. I filed a bug report for the logging so hopefully that uncovers a deeper issue.