createAuth0Client ignores passed in Audience. Generates JWT with audience of access_token

Problem: JWT is created with the wrong audience.
Expected Behavior: When creating an Auth0Client, the client will use the passed in option for audience.
Actual Behavior: The Auth0Client disregards passed in audience and generates a JWT with an audience that is the same as the access_token.

Description:
I’m using:

createAuth0Client({
        domain: environment.auth0.domain,
        client_id: environment.auth0.clientId,
        redirect_uri: environment.auth0.redirectUri,
        responseType: 'token id_token',
        scope: 'openid profile offline_access',
        audience: environment.auth0.audience
    })

Authentication works, silent auth works. However, the “audience” prop in the id_token (the JWT) is always set to the same value as the access token. It’s like it completely disregards my Auth0ClientOptions.

I’ve also tried:

client.getIdTokenClaims({
                scope: 'openid profile offline_access',
                audience: environment.auth0.audience
            }))

Again, it doesn’t use the audience I passed in. How do I generate a JWT with the passed in audience? I need to control the audience used when generating the verified JWT.

Hi @jalava85,

The audience claim in the id_token should be the app identifier. According to our tokens doc:

The audience (the aud claim) of the token is set to the application’s identifier, which means that only this specific application should consume this token.

This is because the id tokens are meant to be consumed by the application only, and not used to call an API.

You should be calling an API with an access token. Is the audience you are requesting not being returned properly in the access token?

Let me know,
Dan

@dan.woda thanks for the prompt response. I couldn’t let it go and over the weekend I spend a ton of time playing with a couple of different tenants and the configuration options.

It turns out that an access_token can be both a JWT and an opaque token.

Without specifying an API as audience the token will be opaque. Once I updated the audience value when I create the Auth0 client then the access_token came back as a JWT with 2 entries under audience. This made my backend RS256 JsonWebToken signature validation pass.

1 Like

Glad you figured it out!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.