Authorize endpoint behavior changes depending on the location of the audience parameter

I’m trying to perform API authorization and when the following request is made, the access_token returned is always an opaque token even though the audience parameter is set:

https://bcd.auth0.com/authorize?audience=https%3A%2F%2Fpltcloud.com&client_id=Rcy1ii41XC0k3P9sdl8pmywmxClgOWGA&redirect_uri=https%3A%2F%2Fserveo.iotcloud.io%2Fcallback&response_type=code&scope=release%3Aupload&state=1155501612

If I reorder the parameters, the access_token returned is a JWT and has the proper “aud” parameter:

https://bcd.auth0.com/authorize?client_id=Rcy1ii41XC0k3P9sdl8pmywmxClgOWGA&redirect_uri=https%3A%2F%2Fserveo.iotcloud.io%2Fcallback&response_type=code&scope=release%3Aupload&state=1155501612&audience=https%3A%2F%2Fpltcloud.com

Go by default sorts Query parameters alphabetically , https://github.com/golang/go/issues/29985

Eric

Did a quick test and could not reproduce, but I may be missing something. You should consider if it’s possible to capture an HTTP trace containing all requests and response where you experience that behavior.

As an additional note, from a quick check of server logs I saw some request for that client identifier that did not include any audience; unsure if that was part of any test, but there are a few.

@jmangelo Did a quick retest with Google’s OAuth2 playground and I’m not seeing the behavior . I’ll dig in further with my actual app.

For normal login, I’m not specifying the audience since I want openid profile information. I’m planning on implementing an alternate flow for requesting API tokens.

Thanks,

Eric