API Access - Authorized Party (azp) claim mismatch in the ID token

brettludwig · August 11, 2022, 8:07pm

Hi, I am trying to login to Auth0 using a Vue js SPA and a redirect login, and call my PHP API with that access token to get the user on the backend and ensure we are verified to make API calls. The docs generally imply that these acquired JWTs can be used directly from the SPA to the API.

Things that work:

Vue SPA is getting a JWT token back
PHP backend, when using the test JWTs from the Auth0 dashboard works fine, verification works great.

What doesn’t work:
If I take the JWT I get from logging in on my SPA and pass that to my PHP API, it will return the error:
Authorized Party (azp) claim mismatch in the ID token:

Authorized Party (azp) claim mismatch in the ID token; expected \"https://localhost/graphql, 62fXXXXXXX02b8e\", found \"yN5XXXXXXXwCJ\""

Vue.use(Auth0Plugin, {
  domain,
  clientId,
  audience: audience,
  onRedirectCallback: appState => {
    router.push(
      appState && appState.targetUrl
        ? appState.targetUrl
        : window.location.pathname
    );
  }
});

I am following the setup instructions listed here:

The redirect link it creates looks correct to me:
https://ekitabu.eu.auth0.com/authorize?clientId=yN5gXXXXXXXXwCJ&responseType=token%20id_token&audience=https%3A%2F%2Flocalhost%2Fgraphql&client_id=yN5gnXXXXXXXXQEpyXwCJ&redirect_uri=http%3A%2F%2Flocalhost%3A8080&scope=openid%20profile%20email&response_type=code&response_mode=web_message&state=dERrMTNXXXXXXXXX285VndCVA%3D%3D&nonce=cHlrWWhEV3lTdXXXXXXXXXXXXXXmdXeQ%3D%3D&code_challenge=HZ7K_XXXXXXXXXXXYuc&code_challenge_method=S256&prompt=none&auth0Client=eyJuYXXXXXXXXXXXXXXXuMSJ9

I have tried the permutations of having the clientId be the

SPA’s client ID

The above mentioned Authorized Party (azp) claim mismatch in the ID token

The ID under “general settings” for the PHP API

this gives an “unknown client” and a misconfiguration screen for the auth0 login redirect page.

The client id given in the test section for PHP API.

this gives me a 401 from the token retrieval auth0 call

Based on this thread, it is my understanding that any issues with azp have been fixed in a PR a few years back. All of the Auth0 examples imply that we can simply get the VueJS JWT and pass it right along to the API, and then with version 8 use the auth0->decode($jwt) function.

I am using a modified version of the jwt-auth-bundle since the official auth0 library is not yet compatible with the 8.0+ PHP SDK. You can see my modified jwt-auth-bundle here

SDK:

            "name": "auth0/auth0-php",
            "version": "8.2.1",

Platform Version:
Symfony 6
Code Snippets/Error Messages/Supporting Details/Screenshots:
Authorized Party (azp) claim mismatch in the ID token

Relevant threads:

github.com/auth0/auth0-PHP

Authorized Party (azp) claim mismatch in the ID token

opened 11:50PM - 03 Feb 20 UTC

closed 04:10PM - 19 Feb 20 UTC

ryangittings

I’m getting “Authorized Party (azp) claim mismatch in the ID token”. Looking …in the SDK’s, it seems to be because the mobile app token seems to be returning two 'aud’s, the API Audience, and the ‘{domain}/userinfo’ endpoint. AUTH0_AUDIENCE = My application Client ID. Mobile App Code ``` Auth0 .webAuth() .scope("openid") .audience("AUTH0_AUDIENCE") .start { switch $0 { case .failure(let error): // Handle the error print("Error: \(error)") case .success(let credentials): print(credentials.accessToken)) } } ``` PHP API ``` $token_issuer = 'https://'.env('AUTH0_DOMAIN').'/'; $jwks_fetcher = new JWKFetcher(); $jwks = $jwks_fetcher->getKeys($token_issuer.'.well-known/jwks.json'); $signature_verifier = new AsymmetricVerifier($jwks); $token_verifier = new IdTokenVerifier( $token_issuer, env('AUTH0_AUDIENCE'), $signature_verifier ); try { $decoded_token = $token_verifier->verify($accessToken); } catch (\Exception $e) { return null; } ```

github.com/auth0/ruby-auth0

validate_id_token fails to validate non-OIDC compliant access tokens due to azp

opened 02:58PM - 28 Jul 22 UTC

closed 09:30PM - 02 Aug 22 UTC

btalayeminaei

feature request

### Describe the problem you'd like to have solved Currently, the only way to… validate tokens is via the `validate_id_token` method in `Auth0::Client`. While it possible to use this method to validate an Auth0 issued `Access Token`, validation fails if the token is not OIDC compliant. If I understand it correctly, access tokens are not required to be OIDC compliant. The particular issue we are running into is with the [azp validation logic](https://github.com/auth0/ruby-auth0/blob/6f11a5da783d9fa9744a62aaaf27ec42d6476d96/lib/auth0/mixins/validation.rb#L121) for the following token: ```js { "iss": "https://caribou-customers-dev.us.auth0.com/", "sub": "auth0|52232b06-1991-4a70-b8b2-80695441a19b", "aud": [ "https://api.caribou-dev.com/", "https://caribou-customers-dev.us.auth0.com/userinfo" ], "iat": 1658964155, "exp": 1659050555, "azp": "09LZ94hgQKfdYe0NWij0bAsWdiDJcKO4", "scope": "openid profile email" } ``` Since there are multiple audiences, the validation logic checks that the `azp` field matches the expected audience. However, Auth0 sets the field to the client_id. ### Describe the ideal solution Here are a couple of solutions that we thought of: - Add a specific method for `Access Token` validation based on [Auth0 guidance](https://auth0.com/docs/secure/tokens/access-tokens/validate-access-tokens) - Allow caller of the existing `validate_id_token` method to skip `azp` validation ## Alternatives and current work-arounds Currently, we monkey patch the `validate_azp` method in our codebase. ```rb class Auth0::Mixins::Validation::IdTokenValidator def validate_azp(claims, expected); end end ``` ## Additional Information semi-relevant resources https://community.auth0.com/t/access-token-has-two-audiences/71041 https://github.com/auth0/auth0-PHP/issues/422#issuecomment-582097775

Relevant PR:

github.com/auth0/auth0-PHP

Add TokenVerifier for non-OIDC-compliant JWTs

auth0:master ← auth0:add-generic-token-validation

opened 11:58PM - 14 Feb 20 UTC

joshcanhelp

+190 -136

### Description Adds a generic JWT verifier class, `TokenVerifier`, which `Id…TokenVerifier` now extends. ### References - Closes #422 - [Validating JWT-formatted access tokens](https://auth0.com/docs/tokens/guides/validate-access-tokens#custom-api-access-tokens) - [More about JWTs](https://jwt.io/introduction/) ### Testing - [x] This change adds test coverage for new/changed/fixed functionality ### Checklist **Note:** documentation will need to come after v7.1.0 of this library is released. PR: https://github.com/auth0/docs/pull/8765 - [x] All active GitHub checks for tests, formatting, and security are passing - [x] The correct base branch is being used, if not `master`

thameera · August 12, 2022, 6:29am

In a SPA + backend API scenario, the token that should be sent to the backend is the Access Token and not the ID token. The ID token is meant as a user identifier and a place to get the user profile info for the SPA only. The backend authorization should be done with the Access Token.

If you are already passing the Access Token but still getting this error, it could be due to the SDK assuming it’s an ID Token. The Auth0 PHP SDK assumes a token is an ID token by default [1]. We need to explicitly tell it that we are validating an Access Token. Eg:

$token = new Token($sdkConfig, $accessToken, Token::TYPE_TOKEN);

The azp check does not happen when an Access Token is decoded this way so you shouldn’t get into the original error.

In case it helps, this document’s got a bit more details on authorizing an API with PHP: Auth0 PHP API SDK Quickstarts: Authorization

[1] auth0-PHP/Token.php at bd785080772275d7769e9d046b188a8364db8fbe · auth0/auth0-PHP · GitHub

brettludwig · August 12, 2022, 6:51pm

That worked, thank you very much!