Opaque token returned for hosted lock with audience param

ricardo.batista · February 16, 2018, 6:51pm

You shouldn’t be setting the audience in the hosted login page, it should be set in your auth0.WebAuth object that makes the original authorization request.

Your hosted login page code should look like:

var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
   auth: {
     redirectUrl: config.callbackURL,
     responseType: (config.internalOptions || {}).response_type ||
       config.callbackOnLocationHash ? 'token' : 'code',
     params: config.internalOptions
   },

And your WebAuth request should be:

var webAuth = new auth0.WebAuth({
  domain: {YOUR_AUTH0_DOMAIN}, 
  clientID: {CLIENT_ID},
  audience: {API_AUDIENCE},
  redirectUri: {CALLBACK_URL}, 
  scope: 'openid profile',
  responseType: 'token id_token'
});
webAuth.authorize();

This will give you a JWT access token. Also note that [when the audience is /userinfo] (https://auth0.com/docs/tokens/access-token#access-token-format), an opaque token will always be issued.

Topic		Replies	Views
Audience with embedded Lock as Popup Get Help lock-10 , api , audience , embedded-lock	13	6960	March 2, 2018
Authorization code flow returns opaque token instead of JWT even though audience is set Get Help jwt , api	10	4981	November 26, 2021
Different behaviour on second login Get Help second-login-jwt-as- , first-login-jwt-as-i	7	4223	March 2, 2018
Opaque token example Get Help authentication-api , api , opaque-tokens	5	7936	September 14, 2020
Authorizaton returning short access token Get Help access_token	2	4098	March 2, 2018

Opaque token returned for hosted lock with audience param

Related topics