Troubleshooting Invalid Audience Errors

whitney.mcdonald · September 30, 2024, 10:12pm

Last updated: Nov 5th, 2024

Overview

Invalid audience errors can occur in a number of contexts. This article explains how to troubleshoot depending on the symptoms and configuration.

Here are several scenarios during which an invalid audience error can occur:

After receiving an access token from Auth0, an “Invalid audience” error occurs during token verification.

Ensure the audience parameter in the token request matches the identifier of the API in Auth0.
With Auth0 audiences such as the management API, if using a custom domain the aud claim in the issued token will contain the custom domain rather than the canonical domain.

The API rejects tokens with an “Invalid audience” error.

Review the API’s token validation logic.
Confirm that the expected audience in the API matches the one set in Auth0.
Check any middleware or libraries handling token validation and ensure they’re correctly configured.
In the case of Auth0 audiences such as the management API, verify that the API is using the correct Auth0 domain for validation if using custom domains.

SAML authentication fails with the following error:

Audience is invalid. Configured: urn:auth0:your_tenant_name:your_connection_name

Retrieve the SAMLResponse from one of the failed log events.
Decode the SAMLResponse using a tool like https://samltool.io/ to convert it into XML.
In the decoded XML, locate the Audience parameter. It should look similar to:

<saml:AudienceRestriction>
    <saml:Audience>
        <The audience which Auth0 as SP is expecting>
    </saml:Audience>
</saml:AudienceRestriction>

Verify that the Audience value matches the expected format: urn:auth0:your_tenant_name:your_connection_name (entity ID)
If the Audience value is incorrect, either:
1. Re-configure on the identity provider (IdP) side, OR
2. Configure a custom Entity ID for the Auth0 SAML connection to match what the IdP is sending according to the Auth0 SAML Identity Provider Configuration Settings docs here: Entity ID

Topic		Replies	Views
“Audience is invalid” Error in SAML with custom domain Help connections , saml-enterprise-connection	3	558	February 15, 2024
"Audience is invalid" Error in SAML and Entity ID Knowledge Articles audience-is-invalid , saml-enterprise-connections , entity-id	1	1523	May 2, 2023
SAML Post-Back URL receiving two audiences causes “Invalid audience” error even though one audience is correct Help saml , audience-is-invalid	4	5322	March 2, 2018
SAMLResponse Audience is invalid Help connections , saml-enterprise-connection	2	3982	February 14, 2023
Keep getting Invalid token audience "{some_audience_here}" error when trying to validate a token Help jwt , auth0	3	6422	August 30, 2019