I have an Angular Auht0 client and an ASP Core backend using Auth0 API. When using social logins everything works fine.
However when using email/password sign-in i miss the correct audience in the JWT token (just a random string?), so the authentication with the backend does not work in this case.
Would i then logout and login again with email/password (without entering the details as it is remembered) i do receive the correct audience details, and authorization with backend works fine.
How come i do not receive the correct audience at first login? Any ideas would be much appriciated.
Please update your question to also include the request parameters for the authentication request. Capturing a HAR file would also help with this; Generate and Analyze HAR Files. Please remove any passwords from the file, and upload it to a cloud storage service (e.g. Google drive), and share the link with us. Feel free to restrict access to the link for only @auth0.com email domains using Sharelock.io.
As mentioned in the comments, the HAR file would probably allow for a definitive response, however, based on the information you provided one possible cause for the situation described is that you’re using Lock embedded in the client application itself and this usage of Lock does not yet have full support for API Authorization functionality (aka audience parameter) hence the issue you described when using username/password login for the first time.
There’s ongoing work on providing support for API Authorization while using Lock directly in the client application itself, but this is not yet formally documented/supported.