My token has multiple audiences. Is that normal?

I have a react SPA and an elixir API.

The API has a machine to machine token so it can create users on auth0.

In the SPA I can log in successfully all good, I set the bearer successfully as per this guide: https://auth0.com/docs/quickstart/spa/react/02-calling-an-api?download=true

However when my API verifies the token it fails because the audience I get from the JWT is an array of two items:

"aud" => ["the_correct_expected_aud_here", "https://my_tenant_here/userinfo"],

Is that second audience fine ? Expected ? A serious issue that needs love and attention?
I can tell my verifier to expect the audience to be the above, but I’m not sure of the implications.

This post suggest that multiple audiences aren’t even a thing: Access tokens with multiple audiences

Any clarification much appreciated.

Thanks!

1 Like

It’s expected and the only exception for containing multiple audiences. Otherwise, it’s not possible to support two of your own audiences with one access token.

1 Like

Thanks! What’s the reason it’s there though? That’s the bit I’m not sure on.

Ahh there are two because one’s for the machine to machine access token right? I think I get it! Thanks

Does that mean a user with that id token can also hit the auth0 user info api though?

Friendly ping @mathiasconradt :slight_smile:

Does that mean a user with that id token can also hit the auth0 user info api though?

No, but with the access token. The ID token is self-contained, can’t/shouldn’t be used against an API. Reason that the /userinfo audience is in the access token is that you don’t necessarily need a ID token but can retrieve the very same user info from the Auth0 /userinfo endpoint.
Benefit is that the information you retrieve from there is always up to date, while the ID token obviously doesn’t update itself in case of i.e. changes in the user profile.

Hey @mathiasconradt, can that be better documented on the Get Access Tokens page?

From the page:

Access Tokens can have multiple target audiences as long as your custom API’s signing algorithm is set to RS256 .

That lead me to believe I could specify multiple audiences on my call to the authorize endpoint.

That’s indeed confusing. I’ll submit an internal ticket to the documentation team.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.