Right way to call userinfo

  • I have created an API with RS256 signing algorithm and http://localhost:3000/api/v1 as the Identifier (audience) and I added openid, phone, profile as the scopes to the created API

  • Then created an application to invoke the above API, with RS256 signing and turned off OIDC Conformant since I’m using a customized login page.

  • I was able to invoke the following authorize request successfully :
    https://hostname.auth0.com/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost:4200/dashboard&response_type=code&scope=openid%20profile&state=state&nonce=nonce&audience=https://hostname.auth0.com/userinfo

  • After getting the code I was able to execute the token call and received the access_token

    curl --request POST
    –url https://hostname.auth0.com/oauth/token
    –header ‘content-type: application/json’
    –data ‘{“client_id”:“CLIENT_ID”,“client_secret”:“CLIENT_SECRET”,“audience”:“localhost:3000/api/v1”,“grant_type”:“client_credentials”,“code”: “CODE”}’

  • But after decoding the JWT token I couldn’t see the userinfo endpoint in audience field

  • So I’m getting unauthorized error in executing the following userinfo call, but I was able to call my other API (secured resources) using the given access token without any issue.

    curl --request GET
    –url ‘https://hostname.auth0.com/userinfo
    –header ‘authorization: Bearer {ACCESS_TOKEN}’
    –header ‘content-type: application/json’

Unauthorized

-Then I tried to invoke the token endpoint using userinfo url as the audience value:

curl --request POST \
--url https://hostname.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"https://hostname.auth0.com/userinfo","grant_type":"client_credentials","code": "CODE"}'

Then I’m getting the following error:

{"error":"access_denied","error_description":"Client is not authorized to access \"https://hostname.auth0.com/userinfo\". You might probably want to create a \"client-grant\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants"}
  • When I tried to add userinfo url as an additional Identifier (audience) when creating an API, I’m getting an error saying ‘provided identifier is reserved’
  • Please let me know what I’m doing wrong here. Looking forward to your reply.

After you obtained the authorization code following your request to /authorize you’re not actually using it because you’re performing a client credentials grant (this part "grant_type":"client_credentials" of the request).

Check the reference documentation on how to implement the authorization code exchange.