Auth0 Home Blog Docs

Authorize endpoint behavior changes depending on the location of the audience parameter

I’m trying to perform API authorization and when the following request is made, the access_token returned is always an opaque token even though the audience parameter is set:

If I reorder the parameters, the access_token returned is a JWT and has the proper “aud” parameter:

Go by default sorts Query parameters alphabetically ,


Did a quick test and could not reproduce, but I may be missing something. You should consider if it’s possible to capture an HTTP trace containing all requests and response where you experience that behavior.

As an additional note, from a quick check of server logs I saw some request for that client identifier that did not include any audience; unsure if that was part of any test, but there are a few.

@jmangelo Did a quick retest with Google’s OAuth2 playground and I’m not seeing the behavior . I’ll dig in further with my actual app.

For normal login, I’m not specifying the audience since I want openid profile information. I’m planning on implementing an alternate flow for requesting API tokens.