Interesting. I’ve been trying different variations and I found something that didn’t result in an error.
First, I removed the prefix "Bearer " on the token before using it. Then I tried the secret key in jwt.verify(token, secretOrPublicKey, option) which resulted in the same invalid token. Yet when I tried my PEM encoded public key, it resulted in invalid audience with a recommended setting of ‘FstBEWbbWYZFjwyi0UbU1rNkhCI1_wqp’, which is the exact audience setting I DO have in the options object. On a whim, I then tried commenting out the audience in options:
const options = {
// audience: "FstBEWbbWYZFjwyi0UbU1rNkhCI1_wqp",
issuer: "https://myappdomain.auth0.com/",
algorithms: ["RS256"]
};
And when I use that, the call succeeds and the result is:
{
iss: 'https://myappdomain.auth0.com/',
sub: 'auth0|5e1a5d134659590cc78665f5',
aud:
[ 'https://api.myappdomain.com',
'https://myappdomain.auth0.com/userinfo' ],
iat: 1578893195,
exp: 1578979595,
azp: 'FstBEWbbWYZFjwyi0UbU1rNkhCI1_wqp',
scope: 'openid profile email'
}
Is that correct? And if correct, why would the aforementioned articles (here and here) all mention the inclusion of audience in the options? And why would this ONLY work with the publicKey option and not secret key as also stated in the docs? Please help clarify.