And this is the response I get (both in Postman and when I run my application):
{
"errorCode": "E0000002",
"errorSummary": "The request was not valid: api.authn.error.AUDIENCE_NOT_SUPPORTED",
"errorLink": "E0000002",
"errorId": "oae3HUV1AwUSBeBhPYIPEUomA",
"errorCauses": []
}
The request works fine without the audience parameter. However, it allows the user to continue the sign-in process even though they are not assigned to the application.
Is it wrong to assume that the audience parameter is for the application client id? If so, what is the proper way to check if the user is assigned to the application when authenticating?
@andrea Yes, it’s a web app with OAuth/OIDC. I have a simple Node.js server making requests to the API (without Auth SDK or the sign-in widget or such).
This is my current sign-in flow:
authenticate user with the Authentication API and retrieve a session token
exchange the session token to an authorization code
exchange the authorization code to access & ID tokens
All is good except for checking the application access after user gives their credentials.
The audience parameter is available only for SAML or WS-Fed enabled apps as described here.
If you would like to authenticate and authorize users, the best solution is to authenticate the user on /api/v1/authn, grab the sessionToken and then pass it on /authorize endpoint as query parameter as described here.