I have a react SPA and an elixir API.
The API has a machine to machine token so it can create users on auth0.
In the SPA I can log in successfully all good, I set the bearer successfully as per this guide: https://auth0.com/docs/quickstart/spa/react/02-calling-an-api?download=true
However when my API verifies the token it fails because the audience I get from the JWT is an array of two items:
"aud" => ["the_correct_expected_aud_here", "https://my_tenant_here/userinfo"],
Is that second audience fine ? Expected ? A serious issue that needs love and attention?
I can tell my verifier to expect the audience to be the above, but I’m not sure of the implications.
This post suggest that multiple audiences aren’t even a thing: Access tokens with multiple audiences
Any clarification much appreciated.