My JWT is this. As you can see, it has two audiences specified.
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjlKbThTUDF3VGlnb0M0dHNETlZpRiJ9.eyJodHRwczovL215Y29tZWR5dGlja2V0cy5jb20vcm9sZXMiOlsiYWRtaW4iLCJjbHViLW1hbmFnZXIiLCJjb21pYyJdLCJpc3MiOiJodHRwczovL2xvZ2luLm15Y29tZWR5dGlja2V0cy5jb20vIiwic3ViIjoiZ29vZ2xlLW9hdXRoMnwxMDE4MzMyNjg2NTYzMDUyMzU3NTciLCJhdWQiOlsicHVuY2hsaW5lL2FwaSIsImh0dHBzOi8vcHVuY2hsaW5lLnVzLmF1dGgwLmNvbS91c2VyaW5mbyJdLCJpYXQiOjE2NzkyOTEzOTUsImV4cCI6MTY3OTM3Nzc5NSwiYXpwIjoiRUtRd0F1bGxka2Z5MUV3QUdnS0JPQ1BlOTJYVmFWYlYiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwicGVybWlzc2lvbnMiOltdfQ.AohSNUg0qlpsTmY4rqWRlkAOxgeiBNeFYP3vV0ynMOzfzvncTBz9zViCLb6nv1YJm5d3PN4pozMG_G-TGlcjWNzcUSfm7xQ0Wo-d-iF1l_IpDivXcXVMC6OBEhCp3CxO6uw_Qpixqa85rINyaPUsofdAZnTjlJ8y_b9wHGyETbhDxf_4DfwwDtuDBJvFHamWTIz_pB3p0I4mZJycKk9eUoTiaIJlJA8Chco7Iz5EeW_VxKxUcM35uYoq4p5d8Iro3Bwfu3PuZDGln9IzVrGEp5ojysEUtVaSd23UOJy_FqmojEQUO6Yr7u7VJa6fYn6o0odWO6_x7QZztH8Ux4bv9A
I presume (maybe incorrectly) that I need to specify two audiences in the initial auth config:
authRequired: false,
auth0Logout: true,
idTokenSigningAlg: "RS256",
authorizationParams: {
scope: 'openid profile email',
response_type: 'code',
response_mode: 'form_post',
audience: 'punchline/api'
},
However, audience is a string parameter and cannot take multiple (i tried separating with space but it didn’t work). I assume this is why I’m getting:
OPError: invalid_token (The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens)
Is this correct?