-
Notifications
You must be signed in to change notification settings - Fork 926
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove default auth0 audience #239
Conversation
As of June 8th, the jwt-bearer grant isn't available to new applications. Therefore, any new app cannot get a token without a specified audience (#176). This is a breaking change from upstream. The audience *must* match the API's audience. However, audience can be omited if a default audience is specified in the tenent's settings. https://auth0.com/docs/tokens/id-token#validate-the-claims
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works as intended.
@ishitatsuyuki Thanks for your patience review and your good feedbacks. @kazazes Thanks for your contributions. I love community ❤️ |
@pi0 This fix isn't included in the |
When will this fix be published on npm? |
I am wondering the same. Until the "audience" fix is pushed to master, we cannot obtain JWT access tokens from Auth0 through the Auth Module. Is there anything we can do to expedite the merge process? Would be happy to help. |
@nicbavetta There is a workaround to setting the audience directly in the code, you can set it in the Tenants Settinng in Auth Dashboard Setting a default audience, there an |
Thanks for pointing this out. I do now have the JWT after setting the default audience in Auth0. This will work for now, however, do hope to see the AuthModule code make its way into production at some point :) |
Any update when this will get merged into master? |
This PR has been published in v4.6.0 |
As of June 8th, the
jwt-bearer
grant isn't available to new Auth0 applications. Therefore, any new app (or OIDC compliant app) cannot get a token without a specified audience (#176). This is a breaking change from Auth0's end.In #222, this was fixed, but a default audience was added in an attempt to preserve backwards compatibility. @ishitatsuyuki pointed out that the default is the incorrect value and the correct value cannot be determined from existing options. This reverts the default inclusion while keeping the fix, and updates the docs to specify when
audience
is required in the auth0 strategy.