remove default auth0 audience #239
Conversation
As of June 8th, the jwt-bearer grant isn't available to new applications. Therefore, any new app cannot get a token without a specified audience (#176). This is a breaking change from upstream. The audience *must* match the API's audience. However, audience can be omited if a default audience is specified in the tenent's settings. https://auth0.com/docs/tokens/id-token#validate-the-claims
|
@ishitatsuyuki Thanks for your patience review and your good feedbacks. @kazazes Thanks for your contributions. I love community ❤️ |
|
@pi0 This fix isn't included in the |
When will this fix be published on npm? |
I am wondering the same. Until the "audience" fix is pushed to master, we cannot obtain JWT access tokens from Auth0 through the Auth Module. Is there anything we can do to expedite the merge process? Would be happy to help. |
@nicbavetta There is a workaround to setting the audience directly in the code, you can set it in the Tenants Settinng in Auth Dashboard Setting a default audience, there an |
Thanks for pointing this out. I do now have the JWT after setting the default audience in Auth0. This will work for now, however, do hope to see the AuthModule code make its way into production at some point :) |
|
Any update when this will get merged into master? |
|
This PR has been published in v4.6.0 |
As of June 8th, the
jwt-bearergrant isn't available to new Auth0 applications. Therefore, any new app (or OIDC compliant app) cannot get a token without a specified audience (#176). This is a breaking change from Auth0's end.In #222, this was fixed, but a default audience was added in an attempt to preserve backwards compatibility. @ishitatsuyuki pointed out that the default is the incorrect value and the correct value cannot be determined from existing options. This reverts the default inclusion while keeping the fix, and updates the docs to specify when
audienceis required in the auth0 strategy.