Hello,
I’ve got a SPA (Angular) which authorizes like this:
webAuth = new Auth0.WebAuth({
clientID: 'myApplicationsClientID',
domain: 'the.applications.domain',
responseType: 'token id_token',
redirectUri: 'http://localhost:4200/authorize',
audience: 'https://the.api.identifier',
scope: 'openid',
});
On the secured API (NodeJS + Restify) I use the middleware from Developing Well-Organized APIs with Node.js, Joi, and Mongo
const tokenGuard = jwt({
// Fetch the signing key based on the KID in the header and
// the singing keys provided by the JWKS endpoint.
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksUri: `https://the.applications.domain/.well-known/jwks.json`,
}),
// Validate the audience and the issuer.
audience: 'https://the.api.identifier',
issuer: `https://the.applications.domain/`,
algorithms: [ 'RS256' ],
});
When I send a request with header “authorization: Bearer id_token” I receive the error jwt audience invalid. expected: https://the.api.identifier
.
Debugging the node_modules/jsonwebtoken/verify.js
shows me that the target audience from the payload is the defined clientID, not the given audience.
Any ideas?