createAuth0Client ignores passed in Audience. Generates JWT with audience of access_token

jalava85 · February 13, 2020, 1:35pm

Problem: JWT is created with the wrong audience.
Expected Behavior: When creating an Auth0Client, the client will use the passed in option for audience.
Actual Behavior: The Auth0Client disregards passed in audience and generates a JWT with an audience that is the same as the access_token.

Description:
I’m using:

createAuth0Client({
        domain: environment.auth0.domain,
        client_id: environment.auth0.clientId,
        redirect_uri: environment.auth0.redirectUri,
        responseType: 'token id_token',
        scope: 'openid profile offline_access',
        audience: environment.auth0.audience
    })

Authentication works, silent auth works. However, the “audience” prop in the id_token (the JWT) is always set to the same value as the access token. It’s like it completely disregards my Auth0ClientOptions.

I’ve also tried:

client.getIdTokenClaims({
                scope: 'openid profile offline_access',
                audience: environment.auth0.audience
            }))

Again, it doesn’t use the audience I passed in. How do I generate a JWT with the passed in audience? I need to control the audience used when generating the verified JWT.

dan.woda · February 18, 2020, 6:36pm

Hi @jalava85,

The audience claim in the id_token should be the app identifier. According to our tokens doc:

The audience (the aud claim) of the token is set to the application’s identifier, which means that only this specific application should consume this token.

This is because the id tokens are meant to be consumed by the application only, and not used to call an API.

You should be calling an API with an access token. Is the audience you are requesting not being returned properly in the access token?

Let me know,
Dan

jalava85 · February 19, 2020, 12:53pm

@dan.woda thanks for the prompt response. I couldn’t let it go and over the weekend I spend a ton of time playing with a couple of different tenants and the configuration options.

It turns out that an access_token can be both a JWT and an opaque token.

Without specifying an API as audience the token will be opaque. Once I updated the audience value when I create the Auth0 client then the access_token came back as a JWT with 2 entries under audience. This made my backend RS256 JsonWebToken signature validation pass.

dan.woda · February 19, 2020, 7:52pm

Glad you figured it out!

dan.woda · March 4, 2020, 11:52pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Audience yes, no, why? Help jwt , access-token , opaque-tokens	7	5618	March 27, 2021
JWT returned to callback has incorrect aud (audience) Help jwt , audience , angular2	6	12362	March 2, 2018
[SPA + API] Can NOT Get Audience Correct Help jwt , auth0 , api , spa , audience	4	5074	February 9, 2019
Auth0.js - not returning the correct audience Help jwt , javascript , audience	2	3911	March 2, 2018
Why is it necessary to pass the 'audience' parameter to receive a JWT? Help	6	39458	September 15, 2022

createAuth0Client ignores passed in Audience. Generates JWT with audience of access_token

Related Topics