This does not work, after sending it, my browser redirects some number of pages and I am effectively logged out, so I do not get so capture the response.
I have gone through a number of permutations, and I have still been unable unable to get a jwt access token. I still am not sure what endpoint is expecting the audience parameter.
Thank you for pointing to the SPA + API, That is exactly what I am trying to get working. There are many steps, and many unknowns that are making implementation difficult. There is also a big question about Role/Groups/Users which that example uses, and I am not certain is it important to getting an SPA working with an API.
I am using react-auth0-spa.js example. I have slimmed down the application to keep just the authentication bits and to make debugging easier. It uses the auth0-spa-js, but since the debugger in the browser seems to show only the obfuscated the code, I have vendored it’s source into the project (and did a minor convert from Flow to React/JSX). This allows me to add breakpoints and add more logging to figure out what’s going wrong. Then, during my attempt to send the audience parameter I noticed the loginWithRedirect() did not forward audience to the http request, which forced me to fix that. Then I noticed that the code was replacing a missing audience with default, which was ending up in the http requests, and since I have no “default” API, it caused some of my denials; I fixed that too. Since the code was a bit of a rube-Goldberg machine of variable renaming, I simplified it a bit. I also noticed that the scopes were not sorted, and combined in different ways, which made my code not use the cache properly, and go into loops requesting authentication.
The API example code also had some problems: It did not handle the browser’s pre-flight requests to gather the CORS rules, so I added that. It did not authenticate opaque access tokens, so I added that.
I am continuing permutations on parameters to get a jwt access token. I am still not certain if I can get a token with a second call; if I need to keep the nonce and code_verifier for longer to do so; if I should be getting all tokens during authorization; if the nonce values will mess with my call sequences. Especially since the audience request seems to leave the SPA for second time to get more permissions from the user.
After authorize, and after processing the callback I attempt a getTokenSilently() which fails. The failure seems to make sense because we will need more user permissions. Notice this time I trying scope too.
Some success: I am setting both the scope and the audience; and I updated the auth0-spa-js to record both so they survive between web page loads, and update the new Auth0Client when the page reloads.
The SPA can get an jwt access token, use it, and the service can verify it.