Access_token is malformed jwt when authenticating with google-oauth2

I have a web application and I authenticate with google.
I get a code back and I exchange it for a token by POST to /oauth/token.
I get a successful token response, but when I try decode the access_token inside I get “jwt malformed”.

const url = `https://${process.env.DOMAIN}/oauth/token`

const data = {
      grant_type: 'authorization_code',
      client_id: process.env.CLIENT_ID,
      client_secret: process.env.CLIENT_SECRET,
      code: "the code",
      redirect_uri: process.env.CALLBACK_URL,
}

const resp = await axios.post(url, qs.stringify(data))

I have also tried sending the data as json with the same result.

Hi @mattymillar,

Thanks for reaching out to the Auth0 Community!

I understand that you’ve received a malformed access token when authenticating with google-oauth2.

After looking at your axios.post request, it appears to be missing the request headers.

Could you try the following instead:

const url = `https://${process.env.DOMAIN}/oauth/token`

const data = {
    grant_type: 'authorization_code',
    client_id: process.env.CLIENT_ID,
    client_secret: process.env.CLIENT_SECRET,
    code: "the code",
    redirect_uri: process.env.CALLBACK_URL,
}

const options = {
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  }
};

const resp = await axios.post(url, qs.stringify(data), options)

The Call Your API Using the Authorization Code Flow documentation goes into full detail on how to form the /oauth/token request.

After doing so, you should be able to decode your access token without issues.

Please feel free to reach out if you have any further questions.

Thank you.

Hi @rueben.tiow,

Thanks for your reply!

Unfortunately I don’t think this is the issue… If you send a request via axios.post with a query string as data it automatically sets the content-type header to application/x-www-form-urlencoded.

You can see it in the axios docs here. I confirmed this by sending the request to my own endpoint and checking the headers.

I tried setting the header explicitly as in your example code but I get the same result.

I also tried using curl with the same result

curl --request POST \
  --url 'https://***.eu.auth0.com/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code' \
  --data 'client_id=***' \
  --data 'client_secret=***' \
  --data 'code=***' \
  --data 'redirect_uri=http://localhost:3000/callback'

If you’ve got any other ideas they’d be much appreciated!

Cheers,

Matt

1 Like

Hi Matt,

You are getting an opaque access token. You must specify an audience to get a JWT access token.

John

4 Likes

Hi @john.gateley

Thanks for your reply! I tried curl with the audience parameter included but I get the same result…

curl --request POST \
  --url 'https://***.eu.auth0.com/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code' \
  --data 'client_id=***' \
  --data 'client_secret=***' \
  --data 'code=***' \
  --data 'redirect_uri=http://localhost:3000/callback' \
  --data 'audience=https://***/'

I will do some digging into opaque tokens!

Cheers,

Matt

Thanks for helping out on this one @john.gateley.

Hi @mattymillar,

You’ll need to take one step back to your /authorize request and make sure that you’ve included the audience parameter.

For example:

https://YOUR_DOMAIN/authorize?
    response_type=code&
    client_id=YOUR_CLIENT_ID&
    redirect_uri=https://YOUR_APP/callback&
    scope=SCOPE&
    audience=API_AUDIENCE&
    state=STATE

Moreover, I’d like to reiterate that the access token is opaque because there is no value passed for the audience parameter. This is to be expected and explained in our Get Access Tokens docs. Using your API identifier or the Management API identifier will produce a JWT access token instead.

Please let me know us if there’s anything else we can do to help.

Thank you.

@rueben.tiow @john.gateley

Thank you! This has solved my issue.

Cheers

Matt

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.