The /userinfo endpoint returns 401 (Unauthorized)

The 401 error happens when performing the following call:

lock.getUserInfo(authResult.accessToken, (error, profile) => ...)

while using Angular 2 together with the most recent Lock from CDN

<script src="https://cdn.auth0.com/js/lock/10.14.0/lock.min.js"></script>

The access token is:

{
  "iss": "https://consort-it.eu.auth0.com/",
  "sub": "auth0|5878e4cdf299cf16c0558a10",
  "aud": 
    "https://cme.consort-it.de"
  ],
  "azp": "XByZxpuDPlwnXe1mYTe2gu3VP8n59ld1",
  "exp": 1491403739,
  "iat": 1491317339,
  "scope": "openid profile cme:user cme:admin",
  "gty": "password"
}

Probably the audience for /userinfo is missing but the audience parameter in the lock JSON configuration is not an array:

 lock = new Auth0Lock('XBy...P8n59ld1', 'consort-it.eu.auth0.com', {
      oidcConformant: true,
      auth: {
       params: {
          scope: 'openid profile',
          audience: 'https://cme.consort-it.de' // API nicht Teil der node-Anwendung
       }
    }
  });

Our use case is an Angular client which calls a separate API - this is the audience.

The /userinfo endpoint can be called either with an opaque access token that is specifically aimed for this purpose (currently, you could distinguish these because they are represented as 16 characters in length) or with an access token in the JWT format.

When the access token is in the JWT format, the token must list https://[your_account].auth0.com/userinfo as an audience aud in order for it to be valid to call the /userinfo endpoint.

The access token you’re using does not meet this requirement as it only lists a different API as a valid audience. When you specify an audience parameter for an endpoint other than the user information one, you need to consider that /userinfo will only be included as an additional audience if the following occurs:

  • the API specified in the audience parameter does not use HS256 as the signing algorithm.
  • you specify a scope parameter that includes openid.

Based on the information you provided you seem to be correctly asking for the openid scope. It’s not clear which signing algorithm the API you used as audience is using as you did not include the header component of the issued access token. However, if the API uses HS256 then that’s the explanation for why you don’t get an audience valid for /userinfo.

1 Like

This is exactly what I needed to know in API access to user information - Auth0 Community - is this documented somewhere? I couldn’t find it…

I have the same problem. I have declared my own API and I am using /authorize with email/password and my own API as audicence, since I need an access token valid for my own API.
In the responseType I specify token and id_token, I get back both but neither work since the audience is my own API or the client id.
I am not sure on what to do, am I expected to login to auth0’s API too? It gets a bit complex…

Answering to myself, the accessToken allows me to use some management endpoint. This allows me to get the user profile…

Can you say more? Which management API endpoint?

I’ve just tried /api/v2/users/ID which returns me all profile data I need. I’m also about to try an update. I don’t know exactly what api I can use with this token, since the api explorer can’t get scopes out of it. Which is also confirmed if I put the token in jwt.io, there are no defined scopes.

Specifically, this works for me using the accessToken with my API as audience:

UPDATE: sorry, I am an idiot. Too many cut&paste for today… Management API works using the id_token (not the access_token as I’ve stated previously).

Hi, I am experiencing the same problem. I am using lock10 to authroize an audience api that is RS256 and I have openid as scope, but the resulting token still not list /userinfo as one of the audiences along side my api

I have the same setup as you. Did you ever figure it out?