I’ve been trying to setup a SPA which sends an auth token to my APIs whose endpoints are secured but no matter what I do I can’t get an auth token with a payload to send to the APIs even when using Postman to do the PKCE authentication - although Implicit flow does return a valid auth token when using Postman. I’ve been sure to set an audience in Postman and my SPA.
The PKCE flow works both in my SPA and in Postman in that I can do the code exchange to get the id_token which contains the user email, name etc so all that seems fine. I’ve inspected the generated Auth Token in JWT.io and while the headers are OK the payload is always empty.
If I use https://dashboard-v1.whatabyte.app/ then I do get a populated payload so clearly it’s something I’m doing wrong. This has been driving me nuts for the last few days!
Application Type - Native (I’ve tried different combinations) Grant Types- Implicit , Authorization Code, Refresh Token
Hopefully this will help others, what was happening is that even though the audience was set in Postman it wasn’t actually sending it in the request so what was coming back was a JWE, not a JWT (similar to Auth0 access token is missing the JWS payload)
