Swagger UI /token request with auience results in opaque access token!?

tamis · September 21, 2023, 3:48pm

Hey I’m using swagger ui with the PKCI authentication flow to get a access token. By default swagger does not add an audience claim when calling the /token endpoint resulting in an opaque access token. I added the claim using a request interceptor:

requestInterceptor: function(request) {
  if (request.url.includes('auth0.com/oauth/token')) {
    request = {
      ...request, 
      body: `${request.body}&audience=${encodeURIComponent("https://api.dev.local/")}`
    }
    console.log(request)
  }
  return request
},

When inspecting the request I can see that the audience is added to the body of the request:

Object { 
  url: "https://<name>.<region>.auth0.com/oauth/token", 
  method: "post",
   headers: {…}, 
  body: "grant_type=authorization_code&code=M4-bFdA5UYop4onnEKfxzFKzyYZMCppF7_ktCQkeJr-qk&client_id=<client_id>&redirect_uri=https%3A%2F%2Fapi.dev.local%2Fdocs%2Foauth2-redirect.html&code_verifier=kATj3NP09RBa8cor0NvNzApAjoYtB3cRD6wr-IoCw4k&audience=https%3A%2F%2Fapi.dev.local%2F", 
  requestInterceptor: requestInterceptor(request), 
  responseInterceptor: responseInterceptor(e) 
}

However when inspecting the access token I can see it is still an opaque token!! Is there something I’m missing or doing wrong?

tyf · September 22, 2023, 10:06pm

Hey there @tamis welcome to the community!

The audience param needs to be included in the initial call to /authorize which kicks off the flow as opposed to when calling the /token endpoint.

system · October 6, 2023, 10:07pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.