How to call a secured AWS API Gateway resource from a static web page?

Brng · June 2, 2018, 12:38am

Resolved. According to the docs:

If the audience is set to turingg.auth0.com/userinfo, then the Access Token will be an opaque string.

If the audience is set to the unique identifier of a custom API, then the Access Token will be a JSON Web Token (JWT).

So I had to change

var webAuth = new auth0.WebAuth({
  domain: AUTH0_DOMAIN,
  clientID: AUTH0_CLIENT_ID,
  redirectUri: AUTH0_CALLBACK_URL,
  audience: 'https://' + AUTH0_DOMAIN + '/userinfo',
  responseType: 'code token id_token',
  scope: 'openid profile email',
  leeway: 60
});

to

var webAuth = new auth0.WebAuth({
  domain: AUTH0_DOMAIN,
  clientID: AUTH0_CLIENT_ID,
  redirectUri: AUTH0_CALLBACK_URL,
  audience: '<unique identifier for my api>',
  responseType: 'code token id_token',
  scope: 'openid profile email',
  leeway: 60
});