API test token works but user tokens fail

Hello, sorry in advance if this is a noob question but we are new to the platform and pretty stuck…

Currently, in Auth0 we have an Application configured to be a SPA with an API as Custom API.

We then have a Python Flask API with Flask-RESTful which follows the boilerplate code provided. We then use react on our webapp with the Universal Login.

API Code copy/paste from guide
class AuthError(Exception):
    def __init__(self, error, status_code):
    self.error = error
    self.status_code = status_code


@app.errorhandler(AuthError)
def handle_auth_error(ex):
    response = jsonify(ex.error)
    response.status_code = ex.status_code
    return response


# Format error response and append status code
def get_token_auth_header():
    """Obtains the access token from the Authorization Header"""
    auth = request.headers.get("Authorization", None)
    if not auth:
        raise AuthError(
            {
                "code": "authorization_header_missing",
                "description": "Authorization header is expected",
                },
            401,
        )

    parts = auth.split()

    if parts[0].lower() != "bearer":
        raise AuthError(
            {
                "code": "invalid_header",
                "description": "Authorization header must start with" " Bearer",
            },
            401,
        )
    elif len(parts) == 1:
        raise AuthError(
            {"code": "invalid_header", "description": "Token not found"}, 401
        )
    elif len(parts) > 2:
        raise AuthError(
        {
            "code": "invalid_header",
            "description": "Authorization header must be" " Bearer token",
        },
        401,
    )

    token = parts[1]
    return token


def requires_scope(required_scope):
"""Determines if the required scope is present in the access token
Args:
    required_scope (str): The scope required to access the resource
"""
    token = get_token_auth_header()
    unverified_claims = jwt.get_unverified_claims(token)
    if unverified_claims.get("scope"):
    token_scopes = unverified_claims["scope"].split()
        for token_scope in token_scopes:
            if token_scope == required_scope:
                return True
    return False


def requires_auth(f):
    """Determines if the access token is valid"""

@wraps(f)
def decorated(*args, **kwargs):
    token = get_token_auth_header()
    jsonurl = urlopen("https://" + AUTH0_DOMAIN + "/.well-known/jwks.json")
    jwks = json.loads(jsonurl.read())
    print(jwks)
    print(token)
    try:
        unverified_header = jwt.get_unverified_header(token)
    except jwt.JWTError:
        raise AuthError(
            {
                "code": "invalid_header",
                "description": "Invalid header. "
                "Use an RS256 signed JWT Access Token",
            },
            401,
        )
    if unverified_header["alg"] == "HS256":
        raise AuthError(
            {
                "code": "invalid_header",
                "description": "Invalid header. "
                "Use an RS256 signed JWT Access Token",
            },
            401,
        )
    rsa_key = {}
    for key in jwks["keys"]:
        if key["kid"] == unverified_header["kid"]:
            rsa_key = {
                "kty": key["kty"],
                "kid": key["kid"],
                "use": key["use"],
                "n": key["n"],
                "e": key["e"],
            }
    if rsa_key:
        print(rsa_key)
        try:
            payload = jwt.decode(
                token,
                rsa_key,
                algorithms=ALGORITHMS,
                audience=API_IDENTIFIER,
                issuer="https://" + AUTH0_DOMAIN + "/",
            )
        except jwt.ExpiredSignatureError:
            raise AuthError(
                {"code": "token_expired", "description": "token is expired"}, 401
            )
        except jwt.JWTClaimsError as jce:
            print(jce)
            raise AuthError(
                {
                    "code": "invalid_claims",
                    "description": "incorrect claims,"
                    " please check the audience and issuer",
                },
                401,
            )
        except Exception:
            raise AuthError(
                {
                    "code": "invalid_header",
                    "description": "Unable to parse authentication" " token.",
                },
                401,
            )

        _request_ctx_stack.top.current_user = payload
        return f(*args, **kwargs)
    raise AuthError(
        {"code": "invalid_header", "description": "Unable to find appropriate key"},
        401,
    )

return decorated

I have been using postman to test the api but cannot get a user auth token to work. Only when I use a token from the Auth0 API Test tab will it let me through the requires_auth decorator.

Any insight is greatly appreciated!

One thing we just noticed is when we debug a user’s auth token, the audience is the Application domain, but in the decorator we are expecting the audience to be the api

fixed it by setting the API to be the management api instead of our custom api.

1 Like

Glad you have figured it out and thanks for sharing with the rest of community!