Access token from native app used to auth API request

campme.dev · January 2, 2022, 7:02pm

I have a native app (react native) and API in go. Separately the authorization is working fine. My problem is when I try to use an access token from a native app and send it to API via an authorization header. The server is responding with an invalid token.

My use-case is that only logged-in user should be able to use gql server. Later I would add some permissions/roles to restrict mutations/queries further.

I assumed while working in the same account all APIs and applications can exchange tokens for validations. Is that assumption correct? What am I missing?

Let me add I use Development mode.

FYI I tried following your tutorials but with no luck.

dan.woda · January 5, 2022, 9:05pm

Hi @campme.dev

Welcome to the Auth0 Community!

Can you post the whole error? Is there a message about why it is being rejected? Also, can you please post an example token payload? You can use jwt.io to decode the token (please omit sensitive data).

campme.dev · January 6, 2022, 6:16pm

Hi!
@dan.woda Thanks for the answer!

For the API in Go, I used 1 to 1 code from your example auth0-golang-api-samples/jwt.go at master · auth0-samples/auth0-golang-api-samples · GitHub so I only get a generic error from line 96 "Failed to validate JWT."

The token payload I get from my native app:
{
“given_name”: “Test”,
“family_name”: “Testowski”,
“nickname”: “campme.test”,
“name”: “Test Testowski”,
“picture”: “https://lh3.googleusercontent.com/a/121AATXAJzGoFEI8A7cGreIhDWiBPC-S0Z4BEEFik2-2u0l=s96-c”,
“locale”: “en-GB”,
“updated_at”: “2021-12-30T19:04:05.487Z”,
“iss”: “https://dev-km36il0j.us.auth0.com/”,
“sub”: “google-oauth2|110114067294556416841”,
“aud”: “P1wH4FLJkuDl90gqUYW2qWXXDVSnYBKm”,
“iat”: 1641492730,
“exp”: 1001641492729,
“at_hash”: “0_rX1A9CMfzSQfhM-oji7Q”,
“nonce”: “nonce”
}

I wonder if I do not omit some steps? Can I use the token from my native app directly in API?

dan.woda · January 11, 2022, 1:02pm

It looks like you are sending an ID token, when you should be sending the Access token.

Can you see if there is an access token available in your native app?

campme.dev · January 19, 2022, 7:06pm

@dan.woda thanks, u are right I passed a wrong token, here is the payload of the correct one

{
  "iss": "https://dev-km36ixxx.us.auth0.com/",
  "sub": "google-oauth2|110114067294556416xxx",
  "aud": [
    "https://xxx/",
    "https://dev-km36ixxx.us.auth0.com/userinfo"
  ],
  "iat": 1642618826,
  "exp": 1642626026,
  "azp": "P1wH4FLJkuDl90gqUYW2qWXXDVSxxxx",
  "scope": "openid profile"
}

Unfortunately it still doesn’t work, any idea why?

campme.dev · January 26, 2022, 6:07pm

For future generations and @dan.woda , I managed to solve the issue. The scope in auth settings was the problem. I had to set up the correct scope for auth call to retrieve the token. Seems that the scope to retrieve user information from social logins can’t be mixed up with API specific scope.

After reading docs some more it seems that good practice is to use 2 auth calls with different scopes:

first to retrieve tokens to login user in-app (react native app in my case)
second call to get token for future communication with the APIs

dan.woda · January 26, 2022, 6:13pm

@campme.dev,

Thanks for posting your solution!

system · February 10, 2022, 6:13pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.