We have a hybrid app that will be deployed to mobile and as a web app. For native we plan to do the PKCE (via the new cordova plugin). For web we planned on doing the implicit grant.
Upon implementing I found out the implicit grant shows a nasty consent page after login. We own the data and the app here (no 3rd party). Asking the user to give consent is pretty strange in our world.
We want to do the SPA authentication properly, which I thought involved the implicit grant. Is this accurate? If so, can we do that and somehow suppress the consent page?
Hi @fady - quick question on this. Once I switched my audience to my custom Auth0 API I can no longer access the /userinfo endpoint. I do have openid in my scope as you suggested, and I’m using the access token that comes back as my bearer. I get an invalid token response with the detail below.
The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens
Do I need to have multiple URL’s in my audience? I tried to set my API’s signing algorithm to RS256 but that looks to be disabled. My token request is below
Hi @fady - One more update on this. I updated my client and created a new API that are both RS256. Seems like this gets past the error above, but still results in below when trying to hit /userinfo with these OIDC conforming access tokens. Do I somehow need to have 2 audiences in the token request? One for my backend API and one for /userinfo?