Limiting the audience of an access token to a single value

pmgdev · February 13, 2024, 6:07am

I have integrated the Auth0 Universal login into my Android app. I am requesting the offline_access scope to ensure I get a refresh token. I am not including any other scopes. I also set the audience, because my backend requires it to be set in the access token. The problem is when I get my access token and decode it, the aud claim is an array containing two audiences, the one I requested and a “https://my-domain.us.auth0.com/userinfo” audience.

The problem is that I am using an off-the-shelf package called PostgREST for my backend, and it is expecting a single string for the audience - not an array. Is there any way to request an access token and refresh token for a given audience, and not end up with an array of audiences? I was able to accomplish this in my web app using just the Authorization Code Flow, but is it possible when doing the Authorization Code Flow with PKCE?

pmgdev · February 14, 2024, 1:33am

For anyone else that sees this, this was an error in my code that attached the access token to the request. I have verified for certain that PostgREST can in fact handle an array of audiences. You can only specify one audience to PostgREST, but as long as that audience is in the array of audiences in the token, you are fine.

tyf · February 14, 2024, 1:47am

Thanks for sharing @pmgdev ! FWIW you can only specify a single audience for Auth0 jwt access tokens, and the second userinfo audience is included by default.

system · February 28, 2024, 1:47am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.