I am currently trying to get my login workflow working with Auth0, but struggling to generate JWT ID tokens which provide access to the /userprofile endpoint.
I have checked a lot of docs and other posts, and have already tried:
Ensuring my signing algorithm is RS256
Ensuring I include openid in the requested scope
Ensuring I specify the intended audience when linking to the Auth0-hosted login page (using the Client ID for my application)
I would expect to see an array of audience claims, including one specifying the /userprofile endpoint, but as you can see from the attached screenshot of the generated token, I do not get this.
After carefully reviewing the query parameters in your login request, I noticed that you are decoding an ID Token, which is in line with your response_type=id_token query parameter.
However, to obtain a JWT Access Token, you will need to include the response_type=token query parameter in your login request. By doing so, the resulting token will have the audience "aud" claim set to your Management API and the /userinfo endpoint.
Could you please give this a try and let me know how this goes?
I’ve tried using response_type=token, and that did indeed get it working. I notice that the Access Token doesn’t include key profile information, but I think I’m beginning to understand that the JWT ID Token is designed to provide that in one payload, to avoid having to call the /userprofile endpoint in the first place.
If there is any additional user profile information that you require in the access token, I recommend appending them as a custom claim using a Post-Login Action. This will allow you to include the desired information in the token itself.