How to make the audience optional or to stop setting it?

Our service issues tokens to many consumers. We are now obtaining a token following the standard procedure, sending the API identifier as the audience.

I understand that the audience claim is optional for JWTs (https://tools.ietf.org/html/rfc7519#section-4.1.3). We would like to stop setting it, as the tokens our service issues are currently for all consumers. However; if we don’t send the audience to Auth0 we get “an opaque” token and we cannot decode it (JWT.decode), getting “JWT must have 3 parts” (as discussed here http://community.auth0.com/t/what-does-jwt-must-have-3-parts-mean/7228).

How can we stop setting the audience? Can we work with opaque tokens only (and if that’s the case, how we decode it)? Can we remove the audience claim somehow after we get a token from Auth0 (and if that’s the case, how we handle validations)?

Hi @leandro.iriarte,

Welcome to the Auth0 Community Forum!

If you do not set an audience, the access token will default to an opaque token intended for the authentication API. Opaque tokens cannot be decoded, as an added layer of security and are only intended for the authentication API. You cannot edit/remove/update information in a JWT, they are immutable, signed and changing anything would invalidate the token.

I am not sure I fully understand the use-case for removing the audience. The tokens are meant to be consumed by all APIs? And are scoped for all scopes for all APIs? Can you expand on your example:

Why not request a token with the audience set to all APIs?

Thanks,
Dan

Hi Dan,

Thank you very much for your advice.

So yes, tokens are scoped for all scopes for all APIs. That’s why we thought about removing it, as it is optional and we didn’t want consumers to add extra validations. We are not planning to issue “multi-scope” tokens any time soon, so I guess we can leave the audience as it is, and avoid validations by consumers. But please let me know if you have any recommendation.

Cheers

Thanks for the response.

I can see what you’re saying. If you have some feedback for the product team feel free to submit a feedback ticket. We like to hear about our customers needs.

Thanks!
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.