React Native Lock token wrong audience on .NET Core server

On my React Native app I am creating the a new Lock with (the auth object was added after some googling)

let lock = new Auth0Lock({
        clientId: 'my-long-client-id', 
        domain: 'my-domain.eu.auth0.com', 
        auth: {
            responseType: 'token', 
            params: {
                audience: 'MyAudience'
            }
        }
    });

and on my .NET Core API I have followed the quick start and have

var options = new JwtBearerOptions {
                Audience = "MyAudience",
                Authority = "https://my-domain.eu.auth0.com/"
            };
 app.UseJwtBearerAuthentication(options);

When I get the token response from the Native Lock I send token.idToken as the authorization bearer token to my API and it returns Bearer Error audience is invalid.

Using the JWT debugger, the payload has a aud of my-long-client-id. When I use Postman with a token from the Auth0 test section, the aud is MyAudience, so I know something is not right, I just don’t know what, or how to debug it.

Any help would be appreciated.

There’s two services you’re trying to leverage from Auth0, user authentication and API authorization. In addition, you’re leveraging those by following the OAuth2 and OpenID Connect (OIDC) related standards. This means that the outcome of the user authentication (which follows OIDC) is an ID Token that contains information about the user that authenticated into your client application. The user authentication step may also generate an access token even if you don’t specify your own audience, however, this access token is meant to call the OIDC specified /userinfo endpoint.

An ID Token is always a JWT and the audience will always be the client application; this is because ID Tokens are meant to only be used by the client application as means to know information about the user identity that authenticated.

In addition to that you’re also performing an API authorization request (by means of including the audience parameter). The outcome of an API authorization request (which follows OAuth2) is an access token that can then be used by the client application to authorize the requests that it performs against the specified audience.

The above explains why sending an ID Token token to your API fails; you’re treating the API as an independent system with it’s own identifier and the correct way for a scenario like this requires you to send an access token obtained in specific for use against that API.

In conclusion, you would need to send the access token instead of the ID Token, however, React Native Lock was designed to provide the user authentication part of it and to my knowledge the API authorization aspect is not supported/documented (at least I could not find any documentation on it, so your mileage may vary). I know we are actively updating the documentation and quickstart guidance to cover API authorization scenarios, but at this time is not yet available. The general guidance for calling independent API’s from mobile application suggests the use of PKCE in case you want to start some research on the subject.