Why is it necessary to pass an ‘audience’ parameter in the implicit flow authorisation request to receive an access token in JWT format?
I’m attempting to get my existing SPA (Angular) and API (NET core) application working against Auth0 using implicit flow. I thought that configuring a SPA application in Auth0 would be the minimum required. That is, the SPA uses the Auth0 app Id in the authentication request and receives an id and access token (in JWT format) from Auth0, and the access token is passed as a Bearer token in the request header to the API which in turn connects to Auth0 to authenticate the JWT and allow the API call.
But apparently not? The access token isn’t a JWT but some ‘opaque string’ as explained at https://auth0.com/docs/tokens/access-token. Further docs at Auth0 about the SPA+API architecture indicate that configuring an API in Auth0 then using its ‘audience’ Id in the authentication request to retrieve a JWT instead is necessary. Why? This is a pain because my openid libraries do not support an ‘audience’ parameter, and the API expects a JWT.
Is there a way around this other than switching to Auth0 supplied libraries that accept the ‘audience’ parameter?