Getting in appropriate access token and audience not working

I am building an Android app and I am following the github guide. Nevertheless, there is one specific thing shown in this guide that is not working for me.

In the guide (auth0-android-sample/MainActivity.java at master · auth0-samples/auth0-android-sample · GitHub) they suggest to do the following to open a web provider (line 41 to 48):

private void login() {
        token.setText("Not logged in");
        Auth0 auth0 = new Auth0(this);
        auth0.setOIDCConformant(true);
        WebAuthProvider.init(auth0)
                .withScheme("demo")
                .withAudience(String.format("https://%s/userinfo", getString(R.string.com_auth0_domain)))
                .start(MainActivity.this, new AuthCallback()

Nevertheless, after login in or creating an account, I get a very short access token, something like: xyasdfcv_kjfwea234. On the other hand, if I hardcode the audience name as follows:

.withAudience(<Audience Name>) 

instead of .withAudience(String.format("https://%s/userinfo", getString(R.string.com_auth0_domain)))
then I do get a proper access token (the very long one). In fact, if I validate the short access token I get an error saying “invalid claims” but I do not get such error with the long access token.

My questions are:
(1) What should I do in order to get the proper access token without having to hardcode the audience name?
(2) How secure it is to manually input the audience name instead of using what they suggest?

Thank you for the help.

You did not provide the two audiences being so I’m assuming that they don’t match, in particular:

  • you use https://{your_domain}.auth0.com/userinfo audience for the case you get a short access token.
  • you use something like https://example.com/api which maps to an API you configured yourself in the APIs section or you use something like https://{your_domain}.auth0.com/api/v2/ which maps to the Management API of your account when you get the long access token.

The short access token is generally referenced as an opaque bearer token because if you have it you don’t derive any information directly from the token (it’s opaque). The long access token is a self-contained token (in this case using the JWT format) where you can extract information directly from the token.

In addition, the access token format is an implementation detail between the authorization server (the issuer of the token) and the resource server that accepts it (the consumer of the token). When you specify an audience you state that you want an access token suitable for that API which means that:

  • when using the /userinfo audience you get an opaque access token because that’s the format that API chose to support.
  • when using an audience for an API you configured yourself you get a self-contained JWT token because… well, because currently there are no other formats supports for API’s that you configure yourself so JWT is the one you get.

By getting a JWT it means your API can validate the token and extract the information within it. Also, if you have an access token for /userinfo it makes no sense to try to send it to another audience because the access token is only intended to /userinfo.

To answer your exact questions; you need to send the audience of the API for which you then want to send the token. How you set that audience is mostly up to you, you can put the literal value directly in code or retrieve it from a property; retrieving it from a property may have the benefit because the value will be in one single place and then you can use the property more than once (but there’s no difference in security).