The /userinfo endpoint can be called either with an opaque access token that is specifically aimed for this purpose (currently, you could distinguish these because they are represented as 16 characters in length) or with an access token in the JWT format.
When the access token is in the JWT format, the token must list https://[your_account].auth0.com/userinfo as an audience aud in order for it to be valid to call the /userinfo endpoint.
The access token you’re using does not meet this requirement as it only lists a different API as a valid audience. When you specify an audience parameter for an endpoint other than the user information one, you need to consider that /userinfo will only be included as an additional audience if the following occurs:
- the API specified in the audience parameter does not use
HS256as the signing algorithm. - you specify a scope parameter that includes
openid.
Based on the information you provided you seem to be correctly asking for the openid scope. It’s not clear which signing algorithm the API you used as audience is using as you did not include the header component of the issued access token. However, if the API uses HS256 then that’s the explanation for why you don’t get an audience valid for /userinfo.