Auth0 Home Blog Docs

Jwt audience invalid - It's client_id instead of the real audience

Hello,
I’ve got a SPA (Angular) which authorizes like this:

webAuth = new Auth0.WebAuth({
  clientID: 'myApplicationsClientID',
  domain: 'the.applications.domain',
  responseType: 'token id_token',
  redirectUri: 'http://localhost:4200/authorize',
  audience: 'https://the.api.identifier',
  scope: 'openid',
});

On the secured API (NodeJS + Restify) I use the middleware from https://auth0.com/blog/developing-well-organized-apis-with-nodejs-joi-and-mongo/

const tokenGuard = jwt({
    // Fetch the signing key based on the KID in the header and
    // the singing keys provided by the JWKS endpoint.
    secret: jwksRsa.expressJwtSecret({
        cache: true,
        rateLimit: true,
        jwksUri: `https://the.applications.domain/.well-known/jwks.json`,
    }),

    // Validate the audience and the issuer.
    audience: 'https://the.api.identifier',
    issuer: `https://the.applications.domain/`,
    algorithms: [ 'RS256' ],
});

When I send a request with header “authorization: Bearer id_token” I receive the error jwt audience invalid. expected: https://the.api.identifier.
Debugging the node_modules/jsonwebtoken/verify.js shows me that the target audience from the payload is the defined clientID, not the given audience.

Any ideas?

I’ve read on another post that the audience is always the client_id in the context of id_tokens.
So to fix it, I just removed the line audience: 'https://the.api.identifier', from the tokenGuard on my API.
Is that an appropriate solution? I can’t set the clientID as the expected audience, because there are multiple applications with different clientIDs accessing the api (SPA and M2M).

If you have an API that will be called from different application then you should consider sending an appropriate access token instead of the ID token. For reference information see (https://auth0.com/docs/api-auth), but the main point is that an ID token is a token issued always in association with the particular client that started the authentication and an access token is a token that can be requested for a specific API identifier.

The above means that multiple applications (client identifiers) will be able to request an access token to the same API and the audience claim in that access token will be API identifier itself. This way you maintain audience validation in the API while also allowing multiple application to obtain tokens for the API.