My token has multiple audiences. Is that normal?

adam6 · April 20, 2020, 1:33pm

I have a react SPA and an elixir API.

The API has a machine to machine token so it can create users on auth0.

In the SPA I can log in successfully all good, I set the bearer successfully as per this guide: https://auth0.com/docs/quickstart/spa/react/02-calling-an-api?download=true

However when my API verifies the token it fails because the audience I get from the JWT is an array of two items:

"aud" => ["the_correct_expected_aud_here", "https://my_tenant_here/userinfo"],

Is that second audience fine ? Expected ? A serious issue that needs love and attention?
I can tell my verifier to expect the audience to be the above, but I’m not sure of the implications.

This post suggest that multiple audiences aren’t even a thing: Access tokens with multiple audiences

Any clarification much appreciated.

Thanks!

mathiasconradt · April 20, 2020, 3:35pm

It’s expected and the only exception for containing multiple audiences. Otherwise, it’s not possible to support two of your own audiences with one access token.

adam6 · April 20, 2020, 4:18pm

Thanks! What’s the reason it’s there though? That’s the bit I’m not sure on.

adam6 · April 20, 2020, 4:18pm

Ahh there are two because one’s for the machine to machine access token right? I think I get it! Thanks

adam6 · April 20, 2020, 4:30pm

Does that mean a user with that id token can also hit the auth0 user info api though?

konrad.sopala · April 23, 2020, 12:38pm

Friendly ping @mathiasconradt

mathiasconradt · April 23, 2020, 1:19pm

Does that mean a user with that id token can also hit the auth0 user info api though?

No, but with the access token. The ID token is self-contained, can’t/shouldn’t be used against an API. Reason that the /userinfo audience is in the access token is that you don’t necessarily need a ID token but can retrieve the very same user info from the Auth0 /userinfo endpoint.
Benefit is that the information you retrieve from there is always up to date, while the ID token obviously doesn’t update itself in case of i.e. changes in the user profile.

tim.jarzombek.alle · April 29, 2020, 7:04pm

Hey @mathiasconradt, can that be better documented on the Get Access Tokens page?

From the page:

Access Tokens can have multiple target audiences as long as your custom API’s signing algorithm is set to RS256 .

That lead me to believe I could specify multiple audiences on my call to the authorize endpoint.

mathiasconradt · April 29, 2020, 7:39pm

That’s indeed confusing. I’ll submit an internal ticket to the documentation team.

system · May 14, 2020, 7:39pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.