set audience in initial redirect to /authorize not to /token

1 files changed, 7 insertions, 9 deletions

diff --git a/cmd/ui/main.go b/cmd/ui/main.go
index 6319b58..d125d15 100644
--- a/cmd/ui/main.go
+++ b/cmd/ui/main.go
@@ -40,7 +40,7 @@ func SessionFor(sessions map[string]*x.Session, r *http.Request, w http.Response
 func main() {
 	sessions := map[string]*x.Session{}
 
-	godotenv.Load()
+	x.Check(godotenv.Load())
 	provider := x.Must(oidc.NewProvider(context.Background(), "https://"+os.Getenv("AUTH0_DOMAIN")+"/"))
 	cfg := oauth2.Config{
 		ClientID:     os.Getenv("AUTH0_CLIENT_ID"),
@@ -48,9 +48,10 @@ func main() {
 		RedirectURL:  os.Getenv("AUTH0_CALLBACK_URL"),
 		Endpoint:     provider.Endpoint(),
 		Scopes: []string{
-			oidc.ScopeOpenID,
-			oidc.ScopeOfflineAccess,
+			"email",
 			"profile",
+			oidc.ScopeOfflineAccess,
+			oidc.ScopeOpenID,
 		},
 	}
 	router := http.NewServeMux()
@@ -66,7 +67,8 @@ func main() {
 	router.Handle("/login", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		session := SessionFor(sessions, r, w)
 		session.OAuthState = uuid.GenerateUUID()
-		http.Redirect(w, r, cfg.AuthCodeURL(session.OAuthState), http.StatusTemporaryRedirect)
+		url := cfg.AuthCodeURL(session.OAuthState, oauth2.SetAuthURLParam("audience", os.Getenv("AUTH0_AUDIENCE")))
+		http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 	}))
 
 	router.Handle("/callback", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -78,11 +80,7 @@ func main() {
 		}
 
 		client := &http.Client{Transport: x.LoggingRoundTripper{http.DefaultTransport}}
-		token := x.Must(cfg.Exchange(
-			context.WithValue(r.Context(), oauth2.HTTPClient, client),
-			r.URL.Query().Get("code"),
-			oauth2.SetAuthURLParam("audience", os.Getenv("AUTH0_AUDIENCE")),
-		))
+		token := x.Must(cfg.Exchange(context.WithValue(r.Context(), oauth2.HTTPClient, client), r.URL.Query().Get("code")))
 
 		rawIDToken, ok := token.Extra("id_token").(string)
 		if !ok {