Opaque JWT returned from login

I have read just about every post where people are having issues with returned opaque JWTs after authentication. I have my Application and API registered. I understand in order to receive back a non-opaque JWT you must provide the ‘audience’ parameter in the request. But here is the problem:

The library for the Authenticator (auth.go) doesn’t support passing the audience parameter:

func New() (*Authenticator, error) {
provider, err := oidc.NewProvider(
if err != nil {
return nil, err

conf := oauth2.Config{
	ClientID:     os.Getenv("AUTH0_CLIENT_ID"),
	ClientSecret: os.Getenv("AUTH0_CLIENT_SECRET"),
	RedirectURL:  os.Getenv("AUTH0_CALLBACK_URL"),
	Endpoint:     provider.Endpoint(),
	Scopes:       []string{oidc.ScopeOpenID, "profile"},

return &Authenticator{
	Provider: provider,
	Config:   conf,
}, nil


Any idea if this is a bug or am I missing something?

In the meantime, since many people have had this issue for over a year now… I figured I would write around the issue.

Once the user has authenticated successfully (using Universal Login), I issue another request to grab the JWT using the audience parameter as such:

type tokenResponse struct {
AccessToken string json:"access_token"
ExpiresIn string json:"expires_in"
TokenType string json:"token_type"

func Handler() {
var token tokenResponse

url := "https://" + os.Getenv("AUTH0_DOMAIN") + "/oauth/token"
payload := strings.NewReader("{\"client_id\":\"" + os.Getenv("AUTH0_CLIENT_ID") + "\",\"client_secret\":\"" + os.Getenv("AUTH0_CLIENT_SECRET") + "\",\"audience\":\"" + os.Getenv("AUTH0_AUDIENCE") + "\",\"grant_type\":\"client_credentials\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("content-type", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
_ = json.Unmarshal(body, &token)

   myJWT := token.AccessToken


Not optimal but it works. Hope this helps someone.

1 Like