Google smarthome does work with the short token, but not with the long one. I need however to use application with audience in order to set offline_access for Google smarthome.
So how can I return a short token when using audience?
When issuing tokens for a custom API (i.e. an API that you control as opposed to an API internal to Auth0) Auth0 always uses the JWT token format, as they are self-contained (they can be validated by the intended audience without involving Auth0).
There’s no way, I’m afraid, to switch to an opaque token format for a custom API. Now, having said that:
Google smarthome does work with the short token, but not with the long one. I need however to use application with audience in order to set offline_access for Google smarthome.
This part I don’t understand. What’s the intended purpose of the token that Auth0 is issuing? Where will you be using it? offline_access does not necessarily require an audience. If the access token you are asking is meant to be used against Auth0’s /userinfo (the OIDC userinfo endpoint) you can ask for scope=openid offline_access without an audience. audience is only required if the access token you are after is to make requests to a custom API (and then the token will be of JWT format).
To start with I will answer your question. The token is used to authorize Google smarthome to control devices from my company on behalf of the users which own the devices.
I understand now that when using audience the tokens shift from beeing opaque to self contained.
So I have now added scope ”offline_access” and will see in 24 hours if the token get refreshed. I dont see any other option as there is only possibility to set token expiration when using audience. Please correct me if I am wrong here.
presumably this is done with an API your company created, right? And, if so, how is the API verifying the opaque access token? You won’t be able to do so: that opaque access token’s audience is Auth0 itself, not your company’s API.
If your API wants to receive - and validate - a bearer token for authoring requests, you’ll have to use the JWT tokens Auth0 issues (with an audience).
So I have now added scope ”offline_access” and will see in 24 hours if the token get refreshed. I dont see any other option as there is only possibility to set token expiration when using audience. Please correct me if I am wrong here.
You are correct in that the opaque token (the one meant for /userinfo only) lifetime is fixed. But, as I said above, this is not really applicable in this case.
