/userinfo suddenly results in 401, unauthorized (CRITICAL!)

I’ve been using auth0-js for almost a year and it has been working good. Suddently today the login stopped working, without any change to the code or hosting environment. I can’t see any status problems with auth0 and the status pages show 100% uptime with no known issues.

My login procedure is simple, I use auth0-js version 8.8.0 and first I call login with email+password:
https://auth0.com/docs/libraries/auth0js/v8#webauth-client-login-

When that promise is returned I get an accessToken (16 chars), an idToken, an expiresIn time of 86400, type is “Bearer” and scope is “openid profile email address phone”.

After that I call webAuth.client.userInfo(result.accessToken, (err, user) => { … }); according to this: Auth0.js v9 Reference

That call usually gives me the user.sub that I need. However, today this /userinfo call suddenly started to give 401 answers with this error object:

{
    code: 401,
    description: null,
    name: "Error",
    statusCode: 401
}

No error description, nothing in the auth0 logs (except a succesful login), no status problems with auth0 service, no anomalies detected in my auth0 portal.

How can I debug this? Is this a service problem or is it a problem with my code?

Unfortunately I cannot share the code and I haven’t had the time to put a repro repo yet.

This is CRITICAL since none of our end users can login to our service right now.

I’m experiencing the same problem as well. Auth0 was working fine until yesterday, but not today. I’m using auth0-js 8.9.3.

@jin.choi ah, good that I’m not alone. But still (really) bad for me. Do you have any ideas of workarounds? I read in another thread that a delay between login and userinfo helped but it is not helping me. This thread: Intermittent 401 unauthorized response - Auth0 Community

I too can confirm that the login system is not working.
We are having issues with Auth0 Rules. Everything processes correctly according to the debugger, but then client side reports 500 errors.

Ok, thanks for the info.

Sorry, I have no clue. I just discovered this bug a few minutes before I posted. The logs don’t show anything. I just updated auth0-js, but that didn’t help.

I can also add that I tried upgrading to the latest auth0-js on NPM (8.10.1) but it did not help, I got the exact same error.
Also, if I send “incorrect” as accessToken to the userinfo call I get an error with an error description: “invalid_credentials” but when I send the (correct) accessToken I get an description: null. Seems a bit odd.

We’re seeing the same issue. When attempting to hit /userinfo following username+password authentication we get a 401 from auth0. The API logs indicate successful authentication, but that’s it. This is happening in all three of our tenants.

I can also confirm this isn’t working on our end either. It’s been working for months and even worked a couple hours or so ago but it’s borked now. I can confirm their error message

The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens

is junk because the API is RS256 and the token looks like below (obviously sensitive data removed)

 {
  "name": "xxx@xxx.com",
  "nickname": "xxx",
  "picture": "xxx",
  "updated_at": "2017-09-27T20:24:29.554Z",
  "email": "xxx@xxx.com",
  "email_verified": true,
  "iss": "https://auth0domain.hidden.com",
  "sub": "auth0|xxxx",
  "aud": "doF5nW9DkLvO84EOOGX8gwgPSnxjXcWt",
  "iat": 1506543870,
  "exp": 1506579870
}

Our issue is also with the /userinfo call and not the actual authentication. Our logs probably look the same as yours.

Same problem here as well.
Was this an undocumented change in the /userinfo endpoint?

Same problem here

I’m also using RS256 so I (OP) have the same error as you. Thanks for confirming that this isn’t just affecting me. Hope it can be resolved soon.

Unlikely since the error description is null and no new auth0-js release have new parameters in the userinfo call.

Exactly like my description of the error, the login is successful, the /userinfo gives 401.

Same for us. Our users are locked out! No bueno Auth0, no bueno.

Same here.

The was fixed after it was identified, we’ll update more info about it on our status page https://status.auth0.com/

I’ll also add that we are having issues with Authorisation

I should add we are using the AU Preview