How to configure Audience parameter for multi-website?

Problem statement

I am wondering about the audience settings in case of a multi-website and what best practice would you recommend.

For example, we have:
Website 1 : https://c.mywebsite.com => Angular with Auth0 SDK + Symfony with Auth0 JWT Bundle
Website 2 : https://www.mywebsite.com => Angular with Auth0 SDK + Symfony with Auth0 JWT Bundle

At first, on the front module configuration I was using [https://{](https://%7B/)tenant}.[auth0.com/api/v2/](http://auth0.com/api/v2/) as the value for my audience. But I think that API has too many permissions so it is not a good idea to use it for this authentication purpose.

If I create a new API for every site we have and configure it in each project, it’s working, but since in the Symfony bundle we can only configure one audience, it does not work if our Website2 makes an API call on Website1 with an access_token generated on the Website2. The JWT decode will throw an error because the audiences are different.

What do you recommend?

  • Create and use the same Auth0 API for all our websites + Mobile applications (= same audience everywhere)?
  • Create a different Auth0 API for each website and instead of configuring the audience used by the Front App (c.mywebsite.com/api …), configure the Symfony bundle on our API side with audience: "[https://{](https://%7B/)tenant}.[auth0.com/userinfos"](http://auth0.com/userinfos)" which will allow API calls between the different websites?

Solution

Multiple audiences are not supported in the access token currently.

You could authorize (could be silent authentication) a second time to use a different audience and as a consequence obtain an access token suitable to another API.

You could also configure Logical API for Multiple APIs. If you have multiple distinct API implementations that are all logically a part of the same API, you can simplify your authorization process by representing them with a single logical API in the Auth0 Dashboard. Doing this allows you to implement just one authorization flow, while still controlling access to the individual APIs by assigning the appropriate scopes.

Video Tutorial

1 Like