401 error when calling a protected API

daniel.meyer · April 2, 2023, 7:40pm

I’m having a pretty persistent issue that when I try and hit a protected API, I’m getting a 401 error.

I have a SPA and am using the auth0-react package.

Auth0Provider code:

const audience = process.env.SERVER_URL;

    <Auth0Provider
      domain={process.env.AUTH0_DOMAIN}
      clientId={process.env.AUTH0_CLIENT_ID}
      authorizationParams={{
        redirect_uri: window.location.origin,
        audience,
        useRefreshTokens: true,
      }}
    >
      <App />
    </Auth0Provider>

Access Token Fetch code:

import { useAuth0 } from "@auth0/auth0-react";
  const { getAccessTokenSilently } = useAuth0();

const accessToken = await getAccessTokenSilently({
          authorizationParams: {
            audience: process.env.SERVER_URL,
          },
        });

Client code to call the API

        const options = {
          method: "GET",
          url: "/api/heaList",
          headers: {
            "content-type": "application/json",
            Authorization: `Bearer ${accessToken}`,
          },
        };

        const heaListResponse = await axios.request(options);

Server validation code:

const { auth } = require("express-oauth2-jwt-bearer");

const jwtCheck = auth({
  audience: process.env.SERVER_URL,
  issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}/`,
  tokenSigningAlg: "RS256",
});

app.use(jwtCheck);

Application settings:

Application Type: Single Page Application
Token Endpoint Authentication Method: None
Allow Cross-Origin Authentication: True
Rotation: True
Reuse Interval: 10
Absolute Expiration: True
Absolute Lifetime: 2592000
Inactivity Expiration: True
Inactivity Lifetime: 1296000

API Settings:

Token Expiration: 86400
Token ExpirationFor Browser Flows: 7200
Signing Algorithm: RS256
Allow Skipping User Consent: True

Rest of settings are false

I have verified the following through debugging:

The process.env.SERVER_URL matches the audience of the protected server.
API is using RS256 signing algorithm
The access code that is produced is valid when I check with jwt.io. It is not expired, the “iss” matches the Auth0 domain, the API audience is included in the “aud” array.

I’m pretty lost lost as to what to try next, so any help is appreciated.

dan.woda · April 4, 2023, 6:34pm

Hi @daniel.meyer,

Welcome to the Auth0 Community!

Is there a more verbose error message? Sometimes the error will include what aspect of the request/token is causing the 401.

Could you please provide a sample token so we can take a look? You can omit sensitive data.

Thanks!

daniel.meyer · April 17, 2023, 3:38am

Sure thing. I’ve pasted the message below:

Bearer realm="api", error="invalid_token", error_description="Failed to fetch authorization server metadata"

Sample token is below:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlJWYTgzRG5Nclh0WUVORUJhanZ5RyJ9.eyJpc3MiOiJodHRwczovL2Rldi1icTIzY3FrYWY4MmhxM2x3LnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2M2U5ZDViNTc0ZWI4OTI4ZTBiNDcwMzQiLCJhdWQiOlsiaHR0cHM6Ly9yZWxheS1wb3dlci1tYXBwaW5nLWFwaS5vbnJlbmRlci5jb20iLCJodHRwczovL2Rldi1icTIzY3FrYWY4MmhxM2x3LnVzLmF1dGgwLmNvbS91c2VyaW5mbyJdLCJpYXQiOjE2ODE3MDIyNDQsImV4cCI6MTY4MTc4ODY0NCwiYXpwIjoiWXJLZG5sbXJOWWpMZk96YTJzVXFMcXQwdHUxamhRMEwiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIn0.OK3NZ05Fi8olqSLsAomhKsW0l3IzzGFvRl7-wzc_TxmIihNKshAzT-BspJ4Aqa_nNFLw1gVGRSeLvlm1coWuffQfjuGFPnZ_hQxhe-fYQfiVHA254uy06k3R0ilUvuIaoO6rwuc70WZ0XVj2f79BrqEV7tKyq0qVOdGRFRTpQT0Ws-a_JEelbg0IqFzhT87r5it7POw_mvHuZdc1QlQxTjZ-Zvz1Ru5VHhIDZUKKAyW769wC0tc7JDzLakGS-bD3s-RtH1u55SUrkt-x7HqKKPi6_h9ppdVURGvgAh_nlA7dE45rKsGIdJiUuZJwo9CWDG9LrBn3aGOzQCpmBtTeMg

dan.woda · April 17, 2023, 1:14pm

@daniel.meyer,

This error suggests that your API isn’t able to request the auth metadata to validate the token.

Can you confirm the issuerBaseURL is correct? You can send it to me in a DM and I’ll have a look.

daniel.meyer · April 23, 2023, 5:25am

Just direct messaged you

kkim · May 9, 2023, 8:11pm

We’re running into a similar issue but only when deploying the API with IISNode on a Windows IIS server.

We’re using the same RS256 signing algo and have confirmed that this works via localhost.

The problem comes up when we host it with a domain name served to us via the IIS Server, and try to access a protected API route using the domain name.

When running a localhost version of said API and trying to hit it via http://localhost:3001, it accepts the token and makes the authentication call⁠.

dan.woda · May 9, 2023, 8:32pm

@kkim,

I never heard a final resolution on this, but I think it was the result of an error in the issuer base url.

If that’s not the issue with you, please open a new topic in the #help category.

kkim · May 14, 2024, 7:56pm

hey past me. im writing this response in case future me forgets and comes back here, a third time. or in case someone else has this issue w/ IISNode in their hosting stack.

Root Issue
we have our IIS node looking at a specific build folder, but our custom web.config was kept in the src directory and not part of the build process.

Solution
move the web.config over.
And in case your issue is on the config stuff; we had to update our location node’s system.webServer child-node to add an iisnode handler. that’s all I’ll say on the matter.

Topic		Replies	Views
SPA + API issue with JWT token Help apis , application	9	355	June 5, 2024
Generating Access Token Help jwt , auth0 , api	4	3250	September 16, 2022
Having trouble with SPA application Help	1	1147	October 14, 2022
Oauth/token endpoint returns 401 Help auth0 , login , access-token	1	5393	January 17, 2022
Error "Service not found" when trying to authenticate user using auth0 in React app with Express.js backend Help auth0-react , sdks-quickstarts	2	3220	August 14, 2023

401 error when calling a protected API

Related Topics