Passing 1 audience to get access_token request, but returned access_token has 2 audience

khanh.le · August 11, 2021, 7:39am

Hi Auth0 Community,

I set the audience properly and get access_token successfully, but when I use it to call API, I get 401 Authorized error with the detail like:

Bearer error="invalid_token", error_description="The audience 'https://development.au.auth0.com/api/v2/, https://development.au.auth0.com/userinfo' is invalid"

Then, I paste the access_token on jwt.io and see that it has 2 audiences the same as the error above.

Could anybody help me out what is the problem and how to fix it. Thanks a lot.

khanh.le · August 13, 2021, 2:11am

Hello, can anybody know what the problem is?

lonli.lokli · April 11, 2022, 10:37pm

It’s very long bug, unfortunately, and do not think it will be resolved.
Shame but I had to disable Audience check and descrease security

lonli.lokli · April 12, 2022, 11:55am

Sorry, not a bug but a by design
Access token has two audiences? - Auth0 Community

lonli.lokli · April 12, 2022, 12:57pm

Sorry again, it’s actually an easy - you should validate against same audience as you have in token ask on UI

konrad.sopala · April 12, 2022, 2:13pm

No worries! We’ve all been there and thanks for sharing with the rest of community!