Getting access token without audience

Hello. I am using React SDK. I’ve found one thing, could you explain what is it?
Some time ago I’ve done everything like in youtube course (React and Auth0 Crash Course and Workshop - YouTube), I’ve added permissions to access token then I used it. One day I’ve decided to refactor my code and I found a typo. In settings .env file audience variable had one name and in Auth0ProviderWithHistory it had another name (for putting to Auth0Provider parameters). So that all the time undefined was inserted as audience value. And I got all user’s permissions (all permissions of all API). When I found that typo, I fixed it, now audience is defined and it is correct, but in user’s permissions I have only those permissions which match to configured audience. Another words permissions are scoped by API which is set as audience. Is it normal behaviour? Where I can read about that?

P.S. As I know, SSO turned on by default. I have two sites which I can visit if I logged in on any of those two. And if I want to allow user some actions on both sites I can delete audience parameter for Auth0Provider and user will get access token with all permissions for all API, so that I can implement universal login for all of my sites. Am I right?

Hi @alt1,

Are you viewing the user’s permissions in an Access Token or an ID Token?

When you supply an audience for your SPA, Auth0 will issue a JWT Access Token that can be used with the external API you’ve configured as the audience. Otherwise, if the audience is not provided, then Auth0 will supply an opaque Access Token that can’t be decoded. This Access Token can be used to hit the /userinfo endpoint to get the user’s profile.

1 Like