My Go knowledge (which is zero) does not allow me to provide a definitive answer, however, based on the information you provided and a look at the code base that performs the validation there’s something that could be the culprit.
From the Auth0 side when you request a user to authenticate and at the same time obtain an access token for your own API the returned access token will include the audience of the API and also the audience to the /userinfo endpoint when your API is using RS256.
The reason for this is that since the API is using RS256 only Auth0 has knowledge of the private key so it can leverage support for multiple audiences in the same access token as a way to provide you with a way to call your own API and also the /userinfo endpoint.
Most JWT validation libraries will then perform an audience check validation with the following very high level algorithm:
- if the JWT
audclaim is a string then the value needs to exactly match the expected audience passed for validation; - if the JWT
audclaim is an array then one of its values needs to exactly match the expected audiences passed for validation.
However, from a quick look at the Go code that is doing the JWT validation we have the following, where e.Audience is the expected audience and c.Audience is the one coming from the token:
if len(e.Audience) != 0 {
if len(e.Audience) != len(c.Audience) {
return ErrInvalidAudience
}
for _, v := range e.Audience {
if !c.Audience.Contains(v) {
return ErrInvalidAudience
}
}
}
This is where my Go fails me so I’m not sure of this, but it may be the situation that the JWT validation library is expecting to match all audiences so when you provide only one it will fail the first check which seems to be based on number of audiences expected vs the number of audiences provided in the token.
Given you’re already using Go you’ll be able to prove or dismiss this theory; if what I said above is not complete craziness you may want to try to provide as expected audiences all the audiences you see in the returned JWT. Can you also confirm if this solves the situation so I can make a request to update the quickstart.