In my AngularJS SPA, the Implicit Grant flow is used. When a user logs in, the SPA gets an id_token and an access_token. When the SPA calls a simple Spring API that is protected, the header is set with the access_token (and I tried with id_token). But the answer is always 401 Unauthorized!
I checked the issuer and the audience in Spring. I checked the client_id, domain and audience in AngularJS. I tried the Authorization Code Grant flow (which is not recommended in my case, I think). But with this id_token, the answer is 200 OK. Can I have any advice why the solution with the Implicit Grant flow doesn’t work?
Access tokens should always be used to call your APIs, as explained here. For you to be able to use the access token to access an API, it needs to have the proper audience, scope (depends on the case) and issuer. It must not be expired and the signature has to be valid. The access token verification process is explained in this document in greater detail.
If you’re getting an Unauthorized error message there are several aspects that you can check by inspecting the token through a tool like jwt.io:
Verify that the token has the proper audience by looking at the aud claim. It has to be the API identifier that you set through the Dashboard and that you are using in your validation code on the API.
Verify that the issuer is the same Auth0 domain (with a https:// prefix and a / suffix) that you’ve configured in the validation code that you’re using in your API by inspecting the iss claim.
If you’re using RS256 tokens, verify that you’re getting the proper keys from the jwks endpoint ( https://YOUR_DOMAIN.REGION.auth0.com/.well-known/jwks.json ). Depending on how are you validating the token, you should verify that the Auth0 Domain that you’re using is correct since you may be using a special package or library that only requires you to configure this.
If you’re protecting some routes with specific scopes, verify that those are included in the scope claim of the access token.
Confirm that the token is not expired. You might be setting an expiration time that’s too low in the API settings on the Dashboard. If this is the case, you might get a Token Expired error instead of an Unauthorized one.
If after reviewing all of these aspects you still get the same error message, can you please provide the code you’re using to configure the SPA and the API? (Please remove any information that might be private or use some test credentials that you can modify later).
Thanks. The website jwt.io helped a lot. The access_token contained unexpected values for aud, although I checked the audience values before. So I debugged but found other bugs that have nothing to do with Auth0. After fixing that, the aud values were correct on jwt.io.