Add audience to Auth0 request. Fixes #176.

[kazazes]

Allows and defaults to adding audience field to Auth0 requests in order to return a JWT. Fixes #176.

[donblackowiak]

With these fixes, Auth0 login now works. Thank you!!!~

[pi0]

Sorry for late merge. And thanks for this fix. Changes will be published soon.

[ishitatsuyuki]

This is wrong. Audience is your backend API server's name in Auth0, not your Auth0 domain. This simply fails with "Service not found" callback error.

[kazazes]

@ishitatsuyuki, that’s not true. The JWT RFC defines the audience as a string or URI, and Auth0 and most others use the URI of the protected resource.

[ishitatsuyuki]

@kazazes But using the Auth0 domain as audience makes no sense. It's the domain of your API server.

[kazazes]

@ishitatsuyuki This sets the audience parameter of the oAuth strategy.

[ishitatsuyuki]

@kazazes That does not answer the question.

You broke all the things:

• Audience is not a part of OAuth or OIDC spec. It's an Auth0 specific extension.
• Audience must be configurable by the user, and should be a part of the Auth0 provider, not the OAuth strategy.

[kazazes]

Audience is a JWT property, not Auth0. The Auth0 provider uses the OAuth scheme to request a token.

You’re right in that it ideally shouldn’t be a property of all OAuth requests, but the library was entirely broken for Auth0 without it before. Does this break another OAuth flow? Can you provide an example?

[ishitatsuyuki]

I used Auth0's "default audience" setting to make it work before. Now you supply an invalid audience that I can't even change.

[kazazes]

The audience should be the same as the default audience, as it's using the domain. I understand what you are saying, but the problem should be limited to custom audiences beyond the default. I will submit a fix shortly.

Edit: I had to look at my PR, it's been a few months. On second glance @ishitatsuyuki, it is just assigning a default audience to preserve backwards compatibility. Specify your desired audience in your config. If that's not working, can you please post a sample?

auth: {
  strategies: {
    auth0: {
      domain: 'domain.auth0.com',
      client_id: '....',
      audience: 'domain/protectedapi'
    }
  }
}

[ishitatsuyuki]

OK, now I see that I can override the default.

However, that's not really a sane default, but rather broken by default. You should just leave it undefined to preserve former behaviour.

[kazazes]

@ishitatsuyuki Auth0 will not provide a token without an audience for OIDC-conformant APIs. See #176.

[ishitatsuyuki]

@kazazes I'm not sure if I remember correctly, but I think Auth0 will return an opaque token if audience is not provided.

Anyway, your default is wrong:

If you do not want to access a custom API, then by setting the audience to YOUR_AUTH0_DOMAIN/userinfo, you can use the opaque Access Token to retrieve the user's profile.

https://auth0.com/docs/tokens/access-token

[kazazes]

But we do want to access a custom API. IIRC the default worked for me and other users in #176. I don't have a project to test with anymore, but based on your experience audience should now be a required value, with no default. Is your Auth0 app OIDC compliant? That may be the difference. New applications are by default, I believe.

[ishitatsuyuki]

Yes, it is OIDC compliant.

Not supplying the audience should work as the default: I think it's how the Nuxt Auth example worked before.
Anyway, the Auth0 domain is probably never the audience that the API is configured with. I believe empty default is the best, as you can set the Auth0-side default from their dashboard.

[kazazes]

Yes, it did work before but will not work now. The doc example app would fail on a newly created Auth0 app, before this PR and now, if an audience is not provided. As of June 8th, the jwt-bearer grant isn't available to new applications. Therefore, any new app cannot get a token without a specified audience (#176).

The default should be removed entirely and the audience should be a more highlighted configuration option. Without a default audience set on the tenant, passing none will fail.

[kazazes]

@ishitatsuyuki, thanks for pointing this out. Should be mitigated in #239. Could you please test? I don't have a project currently using the module.

[nicbavetta]

Any idea when this will be merged into master and subsequently pushed to NPM?

[pi0]

This PR has been published in v4.6.0