Auth0 Home Blog Docs

401 (Unauthorized)

jwt-validation

#1

I am doing reactjs-authentication-tutorial, the login process works fine however when I try to access Celebrity Jokes browser console shows:GET http://localhost:3333/api/jokes/celebrity 401 (Unauthorized) and server console UnauthorizedError: jwt malformed.

I cloned the repo and filled in the required values so not sure what’s going wrong here.

server.js
    const authCheck = jwt({
      secret: jwks.expressJwtSecret({
            cache: true,
            rateLimit: true,
            jwksRequestsPerMinute: 5,
            // YOUR-AUTH0-DOMAIN name e.g https://prosper.auth0.com
            jwksUri: 'https://nepherius.eu.auth0.com/.well-known/jwks.json'
        }),
        // This is the identifier we set when we created the API
        audience: 'https://nepherius.eu.auth0.com/api/v2/',
        issuer: 'nepherius.eu.auth0.com',
        algorithms: 'RS256']
    });

AuthService.js
const CLIENT_ID = 'pwawvou4hsdf7mnNJuMuV5Glx2a0Vz4X7imup';
const CLIENT_DOMAIN = 'nepherius.eu.auth0.com';
const REDIRECT = 'http://localhost:3000/callback';
const SCOPE = 'openid';
const AUDIENCE = 'https://nepherius.eu.auth0.com/userinfo';

#2

The information provided although it shows an incorrect configuration that might be the underlying root cause of the problem is insufficient to provide a definitive answer. In particular, if the question contained the header and payload components of the JWT access token being sent to the API (after redacting information you deemed sensitive) it would likely help in providing a more helpful answer.

From what you shared I’m assuming you’re following this blog post and if that’s correct then you had to create an API in the APIs section of your Auth0 dashboard. The blog uses http://chucknorrisworld.com as the identifier assigned to the created API and if you have done the same then you need to ensure that in server.js the audience property is set to that value and in AuthService.js you’ll need to set AUDIENCE to that same value. This way the client application is requesting an access token for the correct API and the API can validate that the token was issued to itself.


#3