I have gone through a number of permutations, and I have still been unable unable to get a jwt access token. I still am not sure what endpoint is expecting the audience parameter.
Thank you for pointing to the SPA + API, That is exactly what I am trying to get working. There are many steps, and many unknowns that are making implementation difficult. There is also a big question about Role/Groups/Users which that example uses, and I am not certain is it important to getting an SPA working with an API.
I am using react-auth0-spa.js example. I have slimmed down the application to keep just the authentication bits and to make debugging easier. It uses the auth0-spa-js, but since the debugger in the browser seems to show only the obfuscated the code, I have vendored it’s source into the project (and did a minor convert from Flow to React/JSX). This allows me to add breakpoints and add more logging to figure out what’s going wrong. Then, during my attempt to send the audience parameter I noticed the
loginWithRedirect() did not forward audience to the http request, which forced me to fix that. Then I noticed that the code was replacing a missing audience with
default, which was ending up in the http requests, and since I have no “default” API, it caused some of my denials; I fixed that too. Since the code was a bit of a rube-Goldberg machine of variable renaming, I simplified it a bit. I also noticed that the scopes were not sorted, and combined in different ways, which made my code not use the
cache properly, and go into loops requesting authentication.
The API example code also had some problems: It did not handle the browser’s pre-flight requests to gather the CORS rules, so I added that. It did not authenticate opaque access tokens, so I added that.
I am continuing permutations on parameters to get a jwt access token. I am still not certain if I can get a token with a second call; if I need to keep the
code_verifier for longer to do so; if I should be getting all tokens during authorization; if the
nonce values will mess with my call sequences. Especially since the
audience request seems to leave the SPA for second time to get more permissions from the user.
Here is my API setup: