I am using angular2-jwt to initially authenticate, and then passing the id_token
to my server to authenticate against my REST API. When auth0 redirects back to my angular app with the JWT, it seems to be passing an incorrect aud
(audience) in the JWT. My server rejects the JWT due to validation errors with the audience. The audience I requested was by Auth0 identifier (http://XXX.YYY.com/api). The aud
returned when I inspect the JWT with jwt.io is mpXWwpAOBTt5aUM1SE2q5KuUtr4YvUE9
. Why is the aud
being returned with the incorrect value?
Yes, the audience for an id_token
will be the Client ID for the Client to which the id_token
was issued.
The audience for your access_token
will be for the API Identifier (“http://XXX.YYY.com/api”). You should be sending the access_token
to authenticate requests to your API Server
Please see the following docs understand the difference between and usage of the two:
Also, see this section of the Angular Quickstart:
https://auth0.com/docs/quickstart/spa/angular2/03-calling-an-api
Wow. Not sure what changed. I was trying to use “access_token” at one point. But, the access_token didn’t look like a JWT. It was short, something like “xyasdfk_kjfdsa234”. Now, when I look again, it is much longer, and looks like a properly formatted JWT. Again, not sure what changed, but thanks for having me look again!
If you do not pass an audience
parameter, then the access_token
being returned will be short like you mentioned. So I think what changed was that at some point you did not pass an audience
parameter and then, later on, you changed your app to pass it.
I know I’ve always sent an audience in my original request. However, I later realized that the audience was incorrect. So I changed it.
Is it correct behavior that if an incorrect audience is passed, the access_token will be very small (like previously mentioned)?
I am not sure. Perhaps if the audience is invalid (i.e. there is no API Identifier with that value), then it is the same as sending no audience.