Auth0 Home Blog Docs

Authorize endpoint behavior changes depending on the location of the audience parameter

I’m trying to perform API authorization and when the following request is made, the access_token returned is always an opaque token even though the audience parameter is set:

https://bcd.auth0.com/authorize?audience=https%3A%2F%2Fpltcloud.com&client_id=Rcy1ii41XC0k3P9sdl8pmywmxClgOWGA&redirect_uri=https%3A%2F%2Fserveo.iotcloud.io%2Fcallback&response_type=code&scope=release%3Aupload&state=1155501612

If I reorder the parameters, the access_token returned is a JWT and has the proper “aud” parameter:

https://bcd.auth0.com/authorize?client_id=Rcy1ii41XC0k3P9sdl8pmywmxClgOWGA&redirect_uri=https%3A%2F%2Fserveo.iotcloud.io%2Fcallback&response_type=code&scope=release%3Aupload&state=1155501612&audience=https%3A%2F%2Fpltcloud.com

Go by default sorts Query parameters alphabetically , https://github.com/golang/go/issues/29985

Eric

Did a quick test and could not reproduce, but I may be missing something. You should consider if it’s possible to capture an HTTP trace containing all requests and response where you experience that behavior.

As an additional note, from a quick check of server logs I saw some request for that client identifier that did not include any audience; unsure if that was part of any test, but there are a few.

@jmangelo Did a quick retest with Google’s OAuth2 playground and I’m not seeing the behavior . I’ll dig in further with my actual app.

For normal login, I’m not specifying the audience since I want openid profile information. I’m planning on implementing an alternate flow for requesting API tokens.

Thanks,

Eric