The /userinfo
endpoint can be called either with an opaque access token that is specifically aimed for this purpose (currently, you could distinguish these because they are represented as 16 characters in length) or with an access token in the JWT format.
When the access token is in the JWT format, the token must list https://[your_account].auth0.com/userinfo
as an audience aud
in order for it to be valid to call the /userinfo
endpoint.
The access token you’re using does not meet this requirement as it only lists a different API as a valid audience. When you specify an audience
parameter for an endpoint other than the user information one, you need to consider that /userinfo
will only be included as an additional audience if the following occurs:
- the API specified in the audience parameter does not use
HS256
as the signing algorithm. - you specify a scope parameter that includes
openid
.
Based on the information you provided you seem to be correctly asking for the openid
scope. It’s not clear which signing algorithm the API you used as audience is using as you did not include the header component of the issued access token. However, if the API uses HS256
then that’s the explanation for why you don’t get an audience valid for /userinfo
.