Is that second audience fine ? Expected ? A serious issue that needs love and attention?
I can tell my verifier to expect the audience to be the above, but I’m not sure of the implications.
It’s expected and the only exception for containing multiple audiences. Otherwise, it’s not possible to support two of your own audiences with one access token.
Does that mean a user with that id token can also hit the auth0 user info api though?
No, but with the access token. The ID token is self-contained, can’t/shouldn’t be used against an API. Reason that the /userinfo audience is in the access token is that you don’t necessarily need a ID token but can retrieve the very same user info from the Auth0 /userinfo endpoint.
Benefit is that the information you retrieve from there is always up to date, while the ID token obviously doesn’t update itself in case of i.e. changes in the user profile.