"Audience not supported" error when authenticating


I’m trying to authenticate a user in my web application using the primary authentication API endpoint (https://developer.okta.com/docs/reference/api/authn/#primary-authentication).

This is my POST body:

  "username": "{{username}}",
  "password": "{{password}}",
  "audience": "{{clientId}}"

And this is the response I get (both in Postman and when I run my application):

    "errorCode": "E0000002",
    "errorSummary": "The request was not valid: api.authn.error.AUDIENCE_NOT_SUPPORTED",
    "errorLink": "E0000002",
    "errorId": "oae3HUV1AwUSBeBhPYIPEUomA",
    "errorCauses": []

The request works fine without the audience parameter. However, it allows the user to continue the sign-in process even though they are not assigned to the application.

Is it wrong to assume that the audience parameter is for the application client id? If so, what is the proper way to check if the user is assigned to the application when authenticating?

Thank you in advance!

What kind of application are you working on? Is it an OAuth/OpenID Connect Web application?

@andreaskouras Yes, it’s a web app with OAuth/OIDC. I have a simple Node.js server making requests to the API (without Auth SDK or the sign-in widget or such).

This is my current sign-in flow:

  1. authenticate user with the Authentication API and retrieve a session token
  2. exchange the session token to an authorization code
  3. exchange the authorization code to access & ID tokens

All is good except for checking the application access after user gives their credentials.

Hi @msarakon

The audience parameter is available only for SAML or WS-Fed enabled apps as described here.

If you would like to authenticate and authorize users, the best solution is to authenticate the user on /api/v1/authn, grab the sessionToken and then pass it on /authorize endpoint as query parameter as described here.

1 Like

Thank you for the clarification @dragos!