Howdy all🤠,
we have a Next.js application up and running with some protected API endpoints.
Our app uses @auth0/nextjs-auth0 for authenticating users with Auth0 and everything works like a charm. However we want to use Postman now to call these endpoints for an easier debug experience.
Current Auth0 Setup:
- Regular Web Application setup with client id and client secret
- Custom API with M2M Authorized for Web Application
When I send a request to Postman to {{AUTH0_ISSUER_BASE_URL}}/oauth/token with this body:
{
"grant_type": "client_credentials",
"client_id": "{{AUTH0_CLIENT_ID}}",
"client_secret": "{{AUTH0_CLIENT_SECRET}}",
"audience": "{{AUTH0_AUDIENCE}}"
}
I get an access_token. However using this access_token for Bearer Authentication to one of my protected routes leads me to this error:
{
"error": "not_authenticated",
"description": "The user does not have an active session or is not authenticated"
}
This is a small snippet of an endpoint:
export default withApiAuthRequired(
async (req: NextApiRequest, res: NextApiResponse<Data>) => {
const session = await getSession(req, res);
if (!session) {
res.status(401).json({ error: 'No session found' });
return;
}
...
}
I can’t make this example work without disabling authorization at all. I couldn’t also find a solution in the docs.
Is this even the correct approach or is there a misunderstanding?
Kind regards,
Robert