No /userprofile in audience

Help
,
1

I am currently trying to get my login workflow working with Auth0, but struggling to generate JWT ID tokens which provide access to the /userprofile endpoint.
I have checked a lot of docs and other posts, and have already tried:

  • Ensuring my signing algorithm is RS256
  • Ensuring I include openid in the requested scope
  • Ensuring I specify the intended audience when linking to the Auth0-hosted login page (using the Client ID for my application)

I would expect to see an array of audience claims, including one specifying the /userprofile endpoint, but as you can see from the attached screenshot of the generated token, I do not get this.

Screenshot 2023-05-19 at 16.01.24
Screenshot 2023-05-19 at 16.01.241058×1822 78.4 KB

Any suggestions or ideas greatly appreciated.

Thanks, Matt

3

Hi @matt.green,

Welcome to the Auth0 Community!

When generating JWT tokens, you must make sure to specify your API’s identifier as the audience query parameter in the request.

image
image791×280 26.5 KB

(Reference: Get Access Tokens)

In this scenario, it looks like you may have passed the Client ID for the audience parameter when you mean to pass the API Identifier.

You can find the API Identifier in your API Settings.

I hope this helps!

Thanks,
Rueben

1 Like
4

Thanks for your reply, Rueben.

I have tried your suggestion but not had any success - I am currently sending users to the /authorize page (hosted by Auth0), with query parameters:

?client_id=<client_id>&nonce=123&scope=openid+profile+email&response_type=id_token&redirect_uri=https%3A%2F%2Fjwt.io%2F%3Fconnect&audience=https%3A%2F%2Ftriptease.us.auth0.com%2Fapi%2Fv2%2F

Even with the API identifier passed in the audience parameter, I still receive a JET which only has my client_id in the aud field.

image
image710×202 9.12 KB

Do you notice anything obvious I’m doing wrong here?

Thanks,
Matt

5

Hi @matt.green,

Thank you for your response.

After carefully reviewing the query parameters in your login request, I noticed that you are decoding an ID Token, which is in line with your response_type=id_token query parameter.

However, to obtain a JWT Access Token, you will need to include the response_type=token query parameter in your login request. By doing so, the resulting token will have the audience "aud" claim set to your Management API and the /userinfo endpoint.

Could you please give this a try and let me know how this goes?

Thanks,
Rueben

6

Hi Rueben,

I’ve tried using response_type=token, and that did indeed get it working. I notice that the Access Token doesn’t include key profile information, but I think I’m beginning to understand that the JWT ID Token is designed to provide that in one payload, to avoid having to call the /userprofile endpoint in the first place.

Thanks for your assistance with this issue.

Matt

1 Like
7

Hi @matt.green,

Thank you for your reply.

I am glad everything is working now!

If there is any additional user profile information that you require in the access token, I recommend appending them as a custom claim using a Post-Login Action. This will allow you to include the desired information in the token itself.

Please refer to our Adding custom claims to tokens FAQ for more details.

Please reach out again if you have any further questions.

Thanks,
Rueben

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.