Auth0 Home Blog Docs

How to handle multiple API's using audience token?

api
audience
auth0-js

#1

I want to add an API in my node server, which I already have working. The problem is that I want to handle both the default Auth0 Management API and my node server API. It seems like according to this post I can’t create my client against two audiences.

In addition I have issues trying to use Auth0.js client.userInfo function using the API’s audience. How do you guys suggest doing something like this. I was thinking about trying to authorize a second time with my API as an audience with the id token received on a login without the audience, but I don’t see a way of doing that.

I also found a way to at least get the profile using the scopes openid profile, but I assume this will not allow me to edit the users profile. In addition I no longer see the email field instead I see a name field and I also don’t see the user metadata I added to the user using a rule I created.


#2

You can indeed authorize a second time to use a different audience and as a consequence obtain an access token suitable to another API, however, you mention that one of the two audiences being used is the Management API. In this situation I would consider the following, only request an audience targeting your API and obtain access tokens meant for the Management API only through a client credentials flow that would be performed by your API/ Node server.

The above would mean that any access to the Management API would be brokered through your own API and the client application would only manage access tokens associated with your own API (the Management API access tokens would only be available with the server-side of your API).

In addition, the scope openid profile grants access to user profile information, but email is not included in the set of properties associated with the profile scope. If you also want to have access to the email address, you should also include the emailscope. In relation to user metadata, since this is not standard information you’ll need to use custom claims if you want to include it in the issued ID token. Finally, in order for the access tokens issued to your API to also be usable in the /userinfo endpoint you need to ensure that your API is configured to use RS256 as the signing method.


#3