Client credentials grant requires audience parameter

Problem Statement

We have configured a default audience for our Tenants following the documentation here.

However, for an M2M client and the client_credentials grant_type, the default audience is not being applied to the request.

When the audience is omitted from the request, we get an opaque token:

{
"access_token": "gh..redacted",
"expires_in": 86400,
"token_type": "Bearer"
}

This behavior is causing a problem with a 3rd party integration. Is this expected behavior?

Solution

Generally, the client should be non-global and have the allow_api1_non_global_clients flag be false for the default tenant audience to work with the client credentials flow.

In some cases, there are public/private cloud tenants that may have this flag set to true at the moment.

As long as you are not using the Auth0 Management API v1, it should be safe to set this flag to false by contacting Auth0 Support. From doing so, the default audience will work with the client credentials flow.