Auth0 Home Blog Docs

401 on /userinfo


#1

I’m having some trouble obtaining user information with an access_token, and unfortunately a lot of the previous questions on this topic refer to https://community.auth0.com/questions/516/httpsuserinfo-returns-401-unauthorized which is now private or deleted.

My use case is to retrieve an id_token from a trusted system where there is no user interaction. The process I am using is this:

  1. Get access_token
    First I execute:
curl --request POST \
  --url 'https://octopusk8s.auth0.com/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"password", "username":"admin", "password":"passwordgoeshere", "scope":"openid", "client_id": "clientidgoeshere", "client_secret": "clientscretgoeshere"
 }'

This successfully returns an access_token. The token uses RS256, and includes “https://octopusk8s.auth0.com/userinfo” as an audience (see the image for the details of the JWT extracted using https://jwt.io/). As far as I’m aware these are the two requirements that a token has to satisfy to call /userinfo.

  1. Call /userinfo

I then execute:

curl --url https://octopusk8s.auth0.com/userinfo --header Authorization: Bearer accesstokengoeshere‘

The result of this is 401, with the WWW-Authenticate header saying

Bearer realm="Users", error="invalid_token", error_description="The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens"

What sequence of calls can I make with curl (because there is no interactive user and no browser) to get an id_token?


#2

Hello! You should be getting an id_token back from your original call to /oauth/token. Can you confirm you see both an access_token and id_token? In that case, you won’t need to call userinfo (if the id_token gives you what you need).

If you need to make a call to userinfo, I don’t see any obvious issues with your steps here. One thing I would double check however is that you are using the access_token to call the userinfo API, not the id_token. Remember, the access_token is what you use to call APIs (including userinfo).

Hope this helps!

Regards,
Justin


#3

I am having the same problem. I am trying to have a Rails API to call Auth0 for user profile information (via /userfinfo). The React client contacts the Rails API with an Access Token that only includes the user_id (as ‘sub’), but does not include the id_token. Initially, the React client gets the access_token and id_token, but only the access token is used for API calls, and this does not include the users profile information.

How do I get the users profile at the API server, using only the access_token? the above approach does not work - resulting in a “unauthorized” response.