Renewed token doesn't contain the userinfo audience

Hi there,

We’re running into a problem with refresh tokens and the userinfo endpoint.

We’re building a mobile application, using Expo IO and TypeScript to build this application. For communicating with auth0, we’re using expo-app-auth (expo-app-auth - npm).

Basically, when we log into the application, we get back an access_token with both our audience and the auth0 userinfo audience. However, when this token expires and we refresh the token, then we get a token without the userinfo audience.

This means that if we try to access the auth0 user info endpoint, we get back ‘access denied’.

The new access_token is valid for accessing our own service, but not for getting the user_info endpoint. It looks like currently we’re passing the same set of options to get the access_token on login and to refresh it.
(basically, we’re passing the correct audience and the scopes “openid email profiles offline_access”. Do we need to pass something else to get it to work?

Thanks,
Erwin

Ok, we’ve found something, but it’d like to know if this is expected behavior.

On both the request to get an access token and the request to renew it, we’re sending our services audience. It appears that, if we do that, we don’t get the userinfo audience back on the access_token.

But if we keep the audience field empty on the request to renew the access token, then we DO get the userinfo audience in the access_token.

Is that expected behavior?

@erwin.vandervalk did you find any solution on this??

not sending the audience unfortunately.

@erwin.vandervalk yes I did same and work for me, Thanks lets hope for documented solution or improved one from auth0

I’ll make sure to relay that to appropriate team!

erwin.vandervalk

Oct '20

not sending the audience unfortunately.

For those arriving late to this and, like I did, failing to understand this solution, you have to omit the audience paramter from the refresh token request.

Thanks for sharing that with the rest of community!