Our service issues tokens to many consumers. We are now obtaining a token following the standard procedure, sending the API identifier as the audience.
How can we stop setting the audience? Can we work with opaque tokens only (and if that’s the case, how we decode it)? Can we remove the audience claim somehow after we get a token from Auth0 (and if that’s the case, how we handle validations)?
If you do not set an audience, the access token will default to an opaque token intended for the authentication API. Opaque tokens cannot be decoded, as an added layer of security and are only intended for the authentication API. You cannot edit/remove/update information in a JWT, they are immutable, signed and changing anything would invalidate the token.
I am not sure I fully understand the use-case for removing the audience. The tokens are meant to be consumed by all APIs? And are scoped for all scopes for all APIs? Can you expand on your example:
Why not request a token with the audience set to all APIs?
So yes, tokens are scoped for all scopes for all APIs. That’s why we thought about removing it, as it is optional and we didn’t want consumers to add extra validations. We are not planning to issue “multi-scope” tokens any time soon, so I guess we can leave the audience as it is, and avoid validations by consumers. But please let me know if you have any recommendation.
I can see what you’re saying. If you have some feedback for the product team feel free to submit a feedback ticket. We like to hear about our customers needs.