Invalid audience when using oidc-client

So a quick rundown of my app, I have an angular front end with a .net core 2.2 api. This is a bit of a migration of an existing application that is currently a mvc.net app, but the angular app and api project are new.

I’ve gone the route of using the oidc-client library in Angular and I’m able to authenticate just fine and I can properly generate a jwt token and pass that through an interceptor. However, on the api side I am getting errors saying that the audience is invalid. I’ve properly set the audience on the api side, but I was unsure of where to set the proper audience on the angular side? An example of my current settings:

OidcSettings: {
  authority: "http://myCompany.auth0.com/",
  client_id: "clientId",
  redirect_uri: "http://localhost:5000/callback",
  post_logout_redirect_uri: "http://localhost:5000/",
  response_type: "id_token token",
  scope: "openid profile email offline_access",
  filterProtocolClaims: true,
  loadUserInfo: true,
  metadata: {
    issuer: "https://myCompany.auth0.com/",
    authorization_endpoint: "https://myCompany.auth0.com/authorize",
    token_endpoint: "https://myCompany.auth0.com/oauth/token",
    userinfo_endpoint: "https://myCompany.auth0.com/userinfo",
    mfa_challenge_endpoint: "https://myCompany.auth0.com/mfa/challenge",
    jwks_uri: "https://myCompany.auth0.com/.well-known/jwks.json",
    registration_endpoint: "https://myCompany.auth0.com/oidc/register",
    revocation_endpoint: "https://myCompany.auth0.com/oauth/revoke",
  }
}

Hi @dhurt,

Welcome to the Auth0 Community Forum!

The audience is the identifier of the resource. It will be shown in your API settings like this:

The API will use it to verify that it is the resource the token is intended for.

Here is an example of setting up an auth service in angular, it uses the auth0 library, but you should get the point:
https://github.com/auth0-samples/auth0-angular-samples/blob/master/02-Calling-an-API/src/app/auth/auth.service.ts

Hope this helps!

Thanks,
Dan

Thanks for the response Dan! Unfortunately, the issue I’m running into is slightly different.

The legacy app that we’re working to replace using an oidc compliant library to do authentication. Part of the token that it gets back contains the email address, and that is used to do user look ups in our identity database. Using the auth0 libraries, my jwt token does not contain the user email.

So maybe the better question would be here, how can I get that information? Using the oidc-connect javascript library to authenticate and generate the jwt token, this information shows up just fine (but the audience property is set to the client id). But when I use the auth0 library, the audience is properly set to the value you called out but the profile information is missing. I hope this clarifies a little of the issue I’m seeing…

@dhurt,

Can you please DM me a HAR file of the transaction so I can investigate further?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.