Calling Management API fails with "Bad Audience" even though audience matches Management API identifier

I’m using a client credentials flow to access the Management API. I’ve configured the settings such that my M2M app is authorized to request access tokens for the Management API, and it has all available permissions. I’ve decoded the token at jwt.io and ensured it has all possible scopes, and the audience is the Management API identifier.

The issue appears to have something to do with the domain. My domain looks like this:
{tenant-name}.us.auth0.com.

I’m performing the client-credentials token request using the audience: https://{tenant-name}.us.auth0.com/api/v2/

  • When I make a GET request to /api/v2/clients I get a 400 error - bad request
  • if I make the request to the same endpoint, but removing ‘.us’ from the domain, I get a 401:
{
  statusCode: 401,
  error: 'Unauthorized',
  message: 'Bad audience: https://{tenant-name}.us.auth0.com/api/v2/'
}

Why am I getting nothing when I send a request to the correct url, but when I omit the ‘.us’ I do get a response, but the audience is bad?

import fetch from 'node-fetch'
  const endpoint = `https://${tenantName}.us.auth0.com/api/v2/clients`
  const options = {
    method: 'get',
    headers: {
      'content-type': 'application/json',
      Authorization: `Bearer ${AUTH0_MANAGEMENT_TOKEN}`
    },
  }
  const response: Response = await fetch(endpoint, options)
  console.log(response)
  const result = await response.json()
  console.log(result)

Proof the token has the “read:clients” scope:
image

Hi @jackl,

Welcome to the Community!

If you go to your APIsAuth0 Management APITest, you should see an example request.

The 400 error typically means there is a problem with the request itself, like an issue with formatting or otherwise.

You can try using the Management API Explorer to rule out any tenant configuration errors. This will also confirm that your token is correct.

@dan.woda Thanks for your response.

I tried doing it that way. The behavior is exactly the same.

If I send a request where the domain matches what’s in the audience, I get a 400 bad request. If I remove the ‘.us’ from the domain, I get 401 Unauthorized: Bad audience (because the audience still has the ‘.us’ in it?).

Audience: https://{tenant-name}.us.auth0.com/api/v2/
GET request to any API endpoint beginning with this :point_up: returns 400 Bad Request

GET request to any API endpoint beginning with this :point_right: https://{tenant-name}.auth0.com/api/v2/ returns

{
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "Bad audience: https://{tenant-name}.us.auth0.com/api/v2/"
}

Have you ever heard of this behavior before?

I found a solution, but I don’t understand the problem. My actions-flow added some custom claims to the token. When I removed the action, it worked as expected.

I don’t understand why having custom claims would affect the ability to access the Management API. If anyone can tell me what’s going on that would be helpful. Thanks!

EDIT:
Originally, the action set the custom claims to include every scope as a key with “true” as the vaue. In this case there were lots of scopes, so there were many key-value pairs in the custom claims. I altered the action so there are less items in the custom namespace claims. Now it works again. Is there some documentation missing about how many claims are allowed? Or is this an issue worth investigating?

1 Like

Hmm it is hard to say. I don’t think there is a hard and fast limit on the number of custom claims, but it is possible that the token can get too big.

The access token is passed as a bearer token in an HTTP header. The standard doesn’t specify a size limit, but web browsers impose a limit. If the access token was larger than 8K, that probably was the issue.

John

2 Likes