Thank you, both. I think the reality is I’m just rather out of my depth. I feel like I’m patching many and various concepts together from different docs articles and trying to make it all work. I appreciate all the advice that’s been given.
So here is what I have now done, based on the latest advice.
-
I have set up an API under Applications > APIs. I have given it the identifier
https://my-api -
I am now passingthe audience param to
getTokenSilently()viagetTokenSilently({audience: 'https://my-api'}).
However this results in no change. The access token I get back from getTokenSilently(), even though I’m now specifying the audience, is still not a valid JWT according to JWT.io and thus not something I can validate back-end.
This article suggests I must specify audience (my API identifier) in the Auth0 constructor. I’ve tried this too, but same result.
const auth0Client = await auth0.createAuth0Client({
domain: '********',
clientId: '********',
audience: 'https://my-api',
...
It’s also not clear which Auth0 application my browser should be connecting to. I have a SPA application, but when I created the API, this implicitly created a second (machine-to-machine) application. Only the former works with the browser flow. Yet presumably my API works only with the latter?
[[[ ---- EDIT ---- ]]]
Whoop! I finally got it working. It seems that I needed to specify audience within the authorizationParams sub-object in the constructor, i.e.
const auth0Client = await auth0.createAuth0Client({
domain: '********',
clientId: '********',
authorizationParams: {
redirect_uri: window.location.origin,
audience: 'https://my-api'
}
...
I’d still be interested to know which application I should be using, though - the one I set up (the SPA application) or the one that was implcitly created (machine-to-machine) when I created my API. And how come, when I go to my API > Test, it lets me test it only in the context of the machine-to-machine application, yet my browser login works only with the SPA application client ID?
Continued thanks!