Troubleshooting Invalid Audience Errors

Overview

Invalid audience errors can occur in a number of contexts. This article explains how to troubleshoot depending on the symptoms and configuration.

Applies To

  • APIs
  • Invalid audience
  • Token verification
  • SAML

Solution

Here are several scenarios during which an invalid audience error can occur:

Client-side token verification

Symptom

After receiving an access token from Auth0, an “Invalid audience” error occurs during token verification.

Troubleshooting steps

  1. Ensure the audience parameter in the token request matches the identifier of the API in Auth0.
  2. With Auth0 audiences such as the management API, if using a custom domain the aud claim in the issued token will contain the custom domain rather than the canonical domain.

API token verification

Symptom

The API rejects tokens with an “Invalid audience” error.

Troubleshooting steps

  1. Review the API’s token validation logic.
  2. Confirm that the expected audience in the API matches the one set in Auth0.
  3. Check any middleware or libraries handling token validation and ensure they’re correctly configured.
  4. In the case of Auth0 audiences such as the management API, verify that the API is using the correct Auth0 domain for validation if using custom domains.

SAML authentication

Symptom

SAML authentication fails with the following error:

Audience is invalid. Configured: urn:auth0:your_tenant_name:your_connection_name

Troubleshooting steps

  1. Retrieve the SAMLResponse from one of the failed log events.
  2. Decode the SAMLResponse using a tool like https://samltool.io/ to convert it into XML.
  3. In the decoded XML, locate the Audience parameter. It should look similar to:
<saml:AudienceRestriction>
    <saml:Audience>
        <The audience which Auth0 as SP is expecting>
    </saml:Audience>
</saml:AudienceRestriction>
  1. Verify that the Audience value matches the expected format: urn:auth0:your_tenant_name:your_connection_name (entity ID)
  2. If the Audience value is incorrect, re-configure on the identity provider (IdP) side.