No /userprofile in audience

I am currently trying to get my login workflow working with Auth0, but struggling to generate JWT ID tokens which provide access to the /userprofile endpoint.
I have checked a lot of docs and other posts, and have already tried:

  • Ensuring my signing algorithm is RS256
  • Ensuring I include openid in the requested scope
  • Ensuring I specify the intended audience when linking to the Auth0-hosted login page (using the Client ID for my application)

I would expect to see an array of audience claims, including one specifying the /userprofile endpoint, but as you can see from the attached screenshot of the generated token, I do not get this.

Any suggestions or ideas greatly appreciated.

Thanks, Matt

Hi @matt.green,

Welcome to the Auth0 Community!

When generating JWT tokens, you must make sure to specify your API’s identifier as the audience query parameter in the request.


(Reference: Get Access Tokens)

In this scenario, it looks like you may have passed the Client ID for the audience parameter when you mean to pass the API Identifier.

You can find the API Identifier in your API Settings.

I hope this helps!

Thanks,
Rueben

1 Like

Thanks for your reply, Rueben.

I have tried your suggestion but not had any success - I am currently sending users to the /authorize page (hosted by Auth0), with query parameters:

?client_id=<client_id>&nonce=123&scope=openid+profile+email&response_type=id_token&redirect_uri=https%3A%2F%2Fjwt.io%2F%3Fconnect&audience=https%3A%2F%2Ftriptease.us.auth0.com%2Fapi%2Fv2%2F

Even with the API identifier passed in the audience parameter, I still receive a JET which only has my client_id in the aud field.

Do you notice anything obvious I’m doing wrong here?

Thanks,
Matt

Hi @matt.green,

Thank you for your response.

After carefully reviewing the query parameters in your login request, I noticed that you are decoding an ID Token, which is in line with your response_type=id_token query parameter.

However, to obtain a JWT Access Token, you will need to include the response_type=token query parameter in your login request. By doing so, the resulting token will have the audience "aud" claim set to your Management API and the /userinfo endpoint.

Could you please give this a try and let me know how this goes?

Thanks,
Rueben

Hi Rueben,

I’ve tried using response_type=token, and that did indeed get it working. I notice that the Access Token doesn’t include key profile information, but I think I’m beginning to understand that the JWT ID Token is designed to provide that in one payload, to avoid having to call the /userprofile endpoint in the first place.

Thanks for your assistance with this issue.

Matt

1 Like

Hi @matt.green,

Thank you for your reply.

I am glad everything is working now!

If there is any additional user profile information that you require in the access token, I recommend appending them as a custom claim using a Post-Login Action. This will allow you to include the desired information in the token itself.

Please refer to our Adding custom claims to tokens FAQ for more details.

Please reach out again if you have any further questions.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.