Moved from GitHub dgraph/5740
Posted by dpeek:
JWT aud is an array, GraphQL endpoint is expecting a string it seems:
{
"https://www.example.com/jwt/claims": {
"USER": "github|XXXXX",
"ROLE": "ADMIN"
},
"iss": "https://example.us.auth0.com/",
"sub": "github| XXXXX",
"aud": [
"https://www.example.com",
"https://example.us.auth0.com/userinfo"
],
"iat": 1593154207,
"exp": 1593240607,
"azp": "X",
"scope": "openid profile email",
"permissions": []
}
dpeek commented :
I think this might be relevant:
GraphQL / Slash docs use ID token, which shouldn’t be used for APIs apparently? And ID tokens only have one aud while access tokens include 2 (your api and the auth0 tennant url)
dpeek commented :
Look like this is supported in jtw-go v4, so should be as simple as bumping the version for that.
https://github.com/dgrijalva/jwt-go/pull/188
pawanrawal commented :
@dpeek I am curious to know how did you run into this issue. Did you try and use Auth0 with Slash GraphQL with some special config or just with the default config?
dpeek commented :
Hi @pawanrawal, I followed the instructions for using Auth0 with a PWA, and it seems the “aud” claim for an access token there always contains two items: your Auth0 tennant URL and your API “identifier”. The Slash tutorial suggests using the ID token, which is supposedly not what ID tokens are for (Make id_token available via Auth0Client.getIdToken() by tehpsalmist · Pull Request #54 · auth0/auth0-spa-js · GitHub).
Weirdly, when I tried the approach suggested in the tutorial, my ID token had no custom claims in it.