Empty access token payload when using PKCE

I’ve been trying to setup a SPA which sends an auth token to my APIs whose endpoints are secured but no matter what I do I can’t get an auth token with a payload to send to the APIs even when using Postman to do the PKCE authentication - although Implicit flow does return a valid auth token when using Postman. I’ve been sure to set an audience in Postman and my SPA.

The PKCE flow works both in my SPA and in Postman in that I can do the code exchange to get the id_token which contains the user email, name etc so all that seems fine. I’ve inspected the generated Auth Token in JWT.io and while the headers are OK the payload is always empty.

If I use https://dashboard-v1.whatabyte.app/ then I do get a populated payload so clearly it’s something I’m doing wrong. This has been driving me nuts for the last few days!

Application Type - Native (I’ve tried different combinations)
Grant Types- Implicit , Authorization Code, Refresh Token

Hopefully this will help others, what was happening is that even though the audience was set in Postman it wasn’t actually sending it in the request so what was coming back was a JWE, not a JWT (similar to Auth0 access token is missing the JWS payload)

The audience had been set in Postman but it doesn’t seem to actually send it so I had to include the audience in the query string e.g. https://{TENANT}auth0.com/authorize?audience=https://{MYAPI}, there’s more info on the Postman issue here:
Feature Request: specify audience when getting OAUTH2 token · Issue #2934 · postmanlabs/postman-app-support · GitHub

1 Like

Hi @chris36

Welcome to Auth0 Community, it’s great to have you on board.

Well done for figuring this out :+1:

I must admit, I’ve had issues with postman previously so I tend to use curl, this way the calls to the Auth0 service work as documented.

Let us know if you have any other issues with this.
Warm regards.

1 Like