Hello!
I have a Next.js project with the Auth0 universal login, and a Flask API and the test with Postman work as expected. The issue that I am having is that when trying to use the token from the user session withApiAuthRequired, getSession I get this message bellow. I already have the User Roles and Permissions configured. What am I missing? ERROR
{
"code": "invalid_claims",
"description": "incorrect claims,please check the audience and issuer"
}
The key here should be “please check the audience and issuer” part. That error message usually shows up when:
The audience is not correctly set up. A common cause is trying to use a Custom Domain but you haven’t configured the said Custom Domain on your application configuration.
You are trying to use an Access Token that was issued for a different API. For example, trying to use an Access Token for your custom API when that token was actually issued for the Management API.
As you can see, both scenarios I’ve described are basically the same. Wrong audiences. I’d suggest comparing calls from Postman and the ones made from the application and also decoding the Access Token to see where the mismatch is found: https://jwt.io/
Hello Ale,
Thank you for the information. I tested the tokens and yes, they have different audiences. I still not sure what am I missing in the configuration or what is the next step to get the right token. This is what I have in Auth0:
One Application — Regular Web Application
One API — Within the API I have one permission and the Application is authorized with the permissions under Machine to Machine Applications. When I use the data in the Test tab, it have the same client_id and client_secret as the Application and that toke works fine in the API but not the idToken or accessToken generated by the universal login.
The User has assigned a Role and the Role has the API Permissions attached.