401 on /userinfo

I’m having some trouble obtaining user information with an access_token, and unfortunately a lot of the previous questions on this topic refer to The /userinfo endpoint returns 401 (Unauthorized) - Auth0 Community which is now private or deleted.

My use case is to retrieve an id_token from a trusted system where there is no user interaction. The process I am using is this:

  1. Get access_token
    First I execute:
curl --request POST \
  --url 'https://octopusk8s.auth0.com/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type":"password", "username":"admin", "password":"passwordgoeshere", "scope":"openid", "client_id": "clientidgoeshere", "client_secret": "clientscretgoeshere"
 }'

This successfully returns an access_token. The token uses RS256, and includes “https://octopusk8s.auth0.com/userinfo” as an audience (see the image for the details of the JWT extracted using https://jwt.io/). As far as I’m aware these are the two requirements that a token has to satisfy to call /userinfo.

  1. Call /userinfo

I then execute:

curl --url https://octopusk8s.auth0.com/userinfo --header Authorization: Bearer accesstokengoeshere‘

The result of this is 401, with the WWW-Authenticate header saying

Bearer realm="Users", error="invalid_token", error_description="The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens"

What sequence of calls can I make with curl (because there is no interactive user and no browser) to get an id_token?

2 Likes

Hello! You should be getting an id_token back from your original call to /oauth/token. Can you confirm you see both an access_token and id_token? In that case, you won’t need to call userinfo (if the id_token gives you what you need).

If you need to make a call to userinfo, I don’t see any obvious issues with your steps here. One thing I would double check however is that you are using the access_token to call the userinfo API, not the id_token. Remember, the access_token is what you use to call APIs (including userinfo).

Hope this helps!

Regards,
Justin

I am having the same problem. I am trying to have a Rails API to call Auth0 for user profile information (via /userfinfo). The React client contacts the Rails API with an Access Token that only includes the user_id (as ‘sub’), but does not include the id_token. Initially, the React client gets the access_token and id_token, but only the access token is used for API calls, and this does not include the users profile information.

How do I get the users profile at the API server, using only the access_token? the above approach does not work - resulting in a “unauthorized” response.

5 Likes

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?