Multiple audiences in an AuthToken

As most companies would, we have multiple client apps and multiple servers.
Some of those clients need access to more than one server.

We need a flow that allows users to auth once from which we get an AccessToken that we can supply to the relevant servers.

The natural way to do that is to provide multiple audiences with the auth request so that the auth token contains multiple audiences.

I have read the other posts on here which indicate that this isn’t possible with Auth0, because … not interested … not implemented … not something.

The stated workaround in Auth0 is to create an UberApi and then use scopes within that API to partition access to each of the APIs that it represents.

The problems with this approach are that:

  1. Scopes are there to limit an application’s access to user data. Audiences are there to limit a user’s access to a server resource.

  2. Using scopes in this manner means that you need bespoke code in each server that decodes the token and parses it for specific scope(s). Introducing code complexity and error for a simple cross cut.

  3. Taking this to its logical conclusion means that you would have a single Audience for all your server resources and within that Audience you would have a custom scope for every server resource that you expose. Which would totally defat the whole API/audience concept in the first place.

So my questions are:

  1. Why does Auth0 not cater for multiple audiences in an access token when the OAuth spec clearly allows for it?

  2. When will Auth0 implement multiple audiences in an access token?

Hey there @william3 welcome to the community, and sorry for the delayed response!

Makes total sense why you want to see the ability to add multiple resources/audiences - I’m glad you’re aware of the current recommend approach of a logical API.

In OAuth, a typical access token has one audience, to restrict any potential damage from a leaked token.

This is a point of discussion internally however I’m unable to provide any sort of time frame as to when or if this will get implemented.

I’m actually surprised that in doing a quick search through our feedback category there isn’t an existing request regarding multiple audiences. I definitely recommend creating one as our product team keeps a close eye on these and this is obviously a common ask!

Thanks for replying Tyf.

I wasn’t aware of the feature request section of the community.

I have created Implement multiple audiences in an access token

1 Like

No problem, thanks for adding the feedback request! I think it’ll get votes quickly knowing how often this comes up :crossed_fingers: