Authorize endpoint behavior changes depending on the location of the audience parameter

I’m trying to perform API authorization and when the following request is made, the access_token returned is always an opaque token even though the audience parameter is set:

If I reorder the parameters, the access_token returned is a JWT and has the proper “aud” parameter:

Go by default sorts Query parameters alphabetically , proposal: net/url: preserve order of URL Query parameters instead of sorting them alphabetically · Issue #29985 · golang/go · GitHub


Did a quick test and could not reproduce, but I may be missing something. You should consider if it’s possible to capture an HTTP trace containing all requests and response where you experience that behavior.

As an additional note, from a quick check of server logs I saw some request for that client identifier that did not include any audience; unsure if that was part of any test, but there are a few.

@jmangelo Did a quick retest with Google’s OAuth2 playground and I’m not seeing the behavior . I’ll dig in further with my actual app.

For normal login, I’m not specifying the audience since I want openid profile information. I’m planning on implementing an alternate flow for requesting API tokens.