Access Token is opaque. Need help on converting it into JWT

grvsam768 · September 9, 2021, 6:04am

I am new to Auth0 so apologies if my questions are not clear. **So what I want to do is get access token in JWT form and use it later in my backend api (As of now access token is coming as opaque). **

Till now I have only downloaded the Auth0 sample in GO language and I have no custom change. Here is the code for the reference

package auth

import (
	"context"
	"log"
	"os"

	"golang.org/x/oauth2"

	oidc "github.com/coreos/go-oidc"
)

type Authenticator struct {
	Provider *oidc.Provider
	Config   oauth2.Config
	Ctx      context.Context
}

func NewAuthenticator() (*Authenticator, error) {
	ctx := context.Background()

	provider, err := oidc.NewProvider(ctx, "https://"+os.Getenv("AUTH0_DOMAIN")+"/")
	if err != nil {
		log.Printf("failed to get provider: %v", err)
		return nil, err
	}

	conf := oauth2.Config{
		ClientID:     os.Getenv("AUTH0_CLIENT_ID"),
		ClientSecret: os.Getenv("AUTH0_CLIENT_SECRET"),
		RedirectURL:  os.Getenv("AUTH0_CALLBACK_URL"),
		Endpoint:     provider.Endpoint(),
		Scopes:       []string{oidc.ScopeOpenID, "profile"},
	}

	return &Authenticator{
		Provider: provider,
		Config:   conf,
		Ctx:      ctx,
	}, nil
}

package callback

import (
	"context"
	"fmt"
	"log"
	"net/http"
	"os"
	"strings"

	"github.com/coreos/go-oidc"

	"app"
	"auth"
)

func CallbackHandler(w http.ResponseWriter, r *http.Request) {
	session, err := app.Store.Get(r, "auth-session")
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	if r.URL.Query().Get("state") != session.Values["state"] {
		http.Error(w, "Invalid state parameter", http.StatusBadRequest)
		return
	}

	authenticator, err := auth.NewAuthenticator()
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	fmt.Println(r.URL.Query().Get("code"))

	token, err := authenticator.Config.Exchange(context.TODO(), r.URL.Query().Get("code"))
	if err != nil {
		log.Printf("no token found: %v", err)
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	fmt.Println(strings.Repeat("-", 30))
	fmt.Println("The refresh token is")
	fmt.Println(token.RefreshToken)
	fmt.Println(strings.Repeat("-", 30))

	fmt.Println(strings.Repeat("-", 30))
	fmt.Println("The token is")
	fmt.Println(token)
	fmt.Println(strings.Repeat("-", 30))

	rawIDToken, ok := token.Extra("id_token").(string)
	if !ok {
		http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
		return
	}

	oidcConfig := &oidc.Config{
		ClientID: os.Getenv("AUTH0_CLIENT_ID"),
	}

	idToken, err := authenticator.Provider.Verifier(oidcConfig).Verify(context.TODO(), rawIDToken)

	if err != nil {
		http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
		return
	}

	fmt.Println(strings.Repeat("-", 30))
	fmt.Println("The id token is")
	fmt.Printf("%+v\n", idToken)
	fmt.Println(strings.Repeat("-", 30))

	// Getting now the userInfo
	var profile map[string]interface{}
	if err := idToken.Claims(&profile); err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	session.Values["id_token"] = rawIDToken
	session.Values["access_token"] = token.AccessToken
	session.Values["profile"] = profile

	fmt.Println(strings.Repeat("-", 30))
	fmt.Println(session.Values["access_token"])
	fmt.Println(strings.Repeat("-", 30))
	fmt.Println(session.Values["id_token"])
	fmt.Println(strings.Repeat("-", 30))
	fmt.Println(session.Values["profile"])

	err = session.Save(r, w)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return
	}

	// Redirect to logged in page
	http.Redirect(w, r, "/user", http.StatusSeeOther)
}

When I read the access token in the session object it is coming in weird form(which I understand is opaque). If anybody can point me what change I have to make in this code to get Access token in JWT form that will be awesome

chinds · September 9, 2021, 11:00am

I think in your case you need to include the audience param with your Auth0 config here

grvsam768:

conf := oauth2.Config{
		ClientID:     os.Getenv("AUTH0_CLIENT_ID"),
		ClientSecret: os.Getenv("AUTH0_CLIENT_SECRET"),
		RedirectURL:  os.Getenv("AUTH0_CALLBACK_URL"),
		Endpoint:     provider.Endpoint(),
		Scopes:       []string{oidc.ScopeOpenID, "profile"},
	}

See here for more info Access Tokens

grvsam768 · September 9, 2021, 3:35pm

I did look into that yesterday. It looks like there is no support to add Audience in the config method.I could be wrong though

type Config struct {
	// ClientID is the application's ID.
	ClientID string

	// ClientSecret is the application's secret.
	ClientSecret string

	// Endpoint contains the resource server's token endpoint
	// URLs. These are constants specific to each server and are
	// often available via site-specific packages, such as
	// google.Endpoint or github.Endpoint.
	Endpoint Endpoint

	// RedirectURL is the URL to redirect users going through
	// the OAuth flow, after the resource owner's URLs.
	RedirectURL string

	// Scope specifies optional requested permissions.
	Scopes []string
}

If somebody from Auth0 team can guide me on this that will be great

grvsam768 · September 9, 2021, 5:19pm

Bump. Will appreciate if somebody can help me on this.

Topic		Replies	Views
OIDC Access Token (mine is opaque, but docs say it should be JWT) Help oidc , oidc-conformant	8	9706	September 3, 2019
Implicit access_token Opegue, not JWT? OIDC Enabled Help	3	3871	December 4, 2018
Getting JWT Access Token instead of Opaque Token from /oauth/token with Authorization Code Flow Help jwt , access-token	4	4329	September 5, 2020
Opaque JWT returned from login Help login	2	1412	November 4, 2022
Auth0 access token missing returns only opaque Help auth0 , login	2	2229	September 10, 2022

Access Token is opaque. Need help on converting it into JWT

Related Topics