401 on /userinfo

matthew.casperson · March 13, 2018, 9:47pm

I’m having some trouble obtaining user information with an access_token, and unfortunately a lot of the previous questions on this topic refer to The /userinfo endpoint returns 401 (Unauthorized) - Auth0 Community which is now private or deleted.

My use case is to retrieve an id_token from a trusted system where there is no user interaction. The process I am using is this:

Get access_token
First I execute:

curl --request POST \
  --url 'https://octopusk8s.auth0.com/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"password", "username":"admin", "password":"passwordgoeshere", "scope":"openid", "client_id": "clientidgoeshere", "client_secret": "clientscretgoeshere"
 }'

This successfully returns an access_token. The token uses RS256, and includes “https://octopusk8s.auth0.com/userinfo” as an audience (see the image for the details of the JWT extracted using https://jwt.io/). As far as I’m aware these are the two requirements that a token has to satisfy to call /userinfo.

Call /userinfo

I then execute:

curl --url https://octopusk8s.auth0.com/userinfo --header Authorization: Bearer accesstokengoeshere‘

The result of this is 401, with the WWW-Authenticate header saying

Bearer realm="Users", error="invalid_token", error_description="The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens"

What sequence of calls can I make with curl (because there is no interactive user and no browser) to get an id_token?

justin · May 7, 2018, 8:20pm

Hello! You should be getting an id_token back from your original call to /oauth/token. Can you confirm you see both an access_token and id_token? In that case, you won’t need to call userinfo (if the id_token gives you what you need).

If you need to make a call to userinfo, I don’t see any obvious issues with your steps here. One thing I would double check however is that you are using the access_token to call the userinfo API, not the id_token. Remember, the access_token is what you use to call APIs (including userinfo).

Hope this helps!

Regards,
Justin

nerriezohn · November 13, 2018, 11:02pm

I am having the same problem. I am trying to have a Rails API to call Auth0 for user profile information (via /userfinfo). The React client contacts the Rails API with an Access Token that only includes the user_id (as ‘sub’), but does not include the id_token. Initially, the React client gets the access_token and id_token, but only the access token is used for API calls, and this does not include the users profile information.

How do I get the users profile at the API server, using only the access_token? the above approach does not work - resulting in a “unauthorized” response.

konrad.sopala · August 28, 2019, 11:53am

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

Topic		Replies	Views
Right way to call userinfo Help userinfo , access-token , token-endpoint , authorize-endpoint	2	12713	March 2, 2018
/userinfo API returns 401 Unauthorized JWT.io auth0 , api	6	1970	May 27, 2023
HTTP 401 /userinfo Help auth0	2	4762	March 2, 2018
When call /userinfo API returns Unauthorized Help login-experience , new-universal-login-experience	3	2480	February 9, 2023
Not able to access /userinfo from created API Help access-token-userinf	5	5860	March 2, 2018

401 on /userinfo

Related Topics