Why is it necessary to pass an ‘audience’ parameter in the implicit flow authorisation request to receive an access token in JWT format?
I’m attempting to get my existing SPA (Angular) and API (NET core) application working against Auth0 using implicit flow. I thought that configuring a SPA application in Auth0 would be the minimum required. That is, the SPA uses the Auth0 app Id in the authentication request and receives an id and access token (in JWT format) from Auth0, and the access token is passed as a Bearer token in the request header to the API which in turn connects to Auth0 to authenticate the JWT and allow the API call.
But apparently not? The access token isn’t a JWT but some ‘opaque string’ as explained at Access Tokens. Further docs at Auth0 about the SPA+API architecture indicate that configuring an API in Auth0 then using its ‘audience’ Id in the authentication request to retrieve a JWT instead is necessary. Why? This is a pain because my openid libraries do not support an ‘audience’ parameter, and the API expects a JWT.
Is there a way around this other than switching to Auth0 supplied libraries that accept the ‘audience’ parameter?
There’s no way to choose between generating an opaque access token and JWT access token. This behavior is based on the audience param, as the doc says. Which openid library are you using?
Hi @wr8tt5 as @luis.rudge mentioned we use the audience parameter to make a determination which resource server the user is authorizing access to. By default auth0 issues that opaque token which has limited use on some of our API endpoints. We also issues that opaque access_token when specifying the /userinfo endpoint as the audience.
In our implementation we require you to specify an audience for some resource server. This indicates to Auth0 that we are using an OIDC flow and the audience of that token will be for the specified resource server. Many libraries often include a way to specify audience or other custom parameters natively via a property or in this case via extra parameters. Here is the code I think you will might be able to use (it assumes you are using Universal Login / hosted login page):
If you didn’t want to specify the audience parameter as part of the authorize call you can optionally specify the default audience for your tenant. Doing this means all clients will get a JWT access token for the default resource server without specifying an audience. To setup a default audience you can:
Yes you are correct about the ability of the IdentityModel library to accept extra parameters. I was just digging through the code and found it, and successfully used it to specify ‘audience’. So all is good there.
And thanks very much for pointing out a way to get a JWT via the tenant audience setting; I had no idea that existed.