Api authentication with credentials from a react-native app

davitoc · August 23, 2023, 5:39am

Hi there,

I have a react-native app and I’m using the react-native-auth0 SDK to login a user and get credentials when the login is successful.

const onLogin = async (callback) => {
    try {
      await authorize().then(async () =>{
        const credentials = await getCredentials();
        await AsyncStorage.setItem('token', credentials.idToken);
        if (callback) {
            callback(); // Call the callback function if provided
          }
      });
    } catch (e) {
      console.log(e);
    }
  };

How I expect to use that token is adding it as an auth bearer to all requests to the API, and verifying the token in a NodeJS backend using the library jsonwebtoken.

module.exports = function(req, res, next) {
    const token = req.header("authorization").replace('Bearer ','');
    if (!token) return res.status(401).json({ message: "Auth Error" });
  
    try {
      var cert = fs.readFileSync(path.resolve(__dirname, '.public key'));  // get public key
      const decoded = jwt.verify(token, cert);
      req.user = decoded.user;
      next();
    } catch (e) {
      console.error(e);
      res.status(500).send({ message: "Invalid Token" });
    }
  };

If I use the idToken the JWT verification works as expected and I can decode the JWT and access user info. The reason why I’m not sure if my approach is correct is because this page says that you should never use Id tokens to obtain direct access to APIs, however, if I use credentials.accessToken the verification fails with a “malformed JWT error”.

Any guidance on the topic is appreciated.

Cheers,

tyf · August 24, 2023, 12:44am

Hey there @davitoc welcome to the community!

That’s correct, you shouldn’t use an ID token against an API but rather an access token - Are you passing an audience param anywhere when initiating WebAuth?

Let us know!

davitoc · August 30, 2023, 10:19pm

Hi Tyf,

Thanks for bringing that up. I wasn’t passing an audience param when initiating WebAuth.

I have done so now in addition to follow up a guide for the Mobile + API implementation.

  const onLogin = async (callback) => {
    const authorizeConfig ={
      issuer: 'API issuer,
      audience:'API audience'
    };

    try {
      await authorize(authorizeConfig).then(async () =>{
        const credentials = await getCredentials();

        await AsyncStorage.setItem('token', credentials.accessToken);
        if (callback) {
            callback(); // Call the callback function if provided
          }
      });
    } catch (e) {
      console.log(e);
    }
  };

Got it working

tyf · August 30, 2023, 11:18pm

Hey @davitoc that’s great news thanks for sharing here!

system · September 13, 2023, 11:18pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Make Request to Auth0 api from react native app Help	8	4951	September 23, 2021
React-Native JWT Issues Help jwt , auth0 , react-native	3	3143	December 22, 2021
Get tokens for native app and its backing API with a single auth flow using react-native-auth0 Help jwt , api , react-native , native , react-native-auth0	3	3391	July 29, 2021
React native access token Help react-native-auth0 , sdks-quickstarts	2	3097	November 1, 2023
API Tokens - React Native SDK Help react-native , react-native-auth0	3	4748	September 4, 2020

Api authentication with credentials from a react-native app

Related Topics