/api/v2/users/ : invalid token

Hello,

I want to be able to know who’s connected to my app. The client connected client is sending a request to https://<My-tenant>/api/v2/users/auth|7C5da4e39...
But all i’ve got is :
{
“statusCode”: 401,
“error”: “Unauthorized”,
“message”: “Invalid token”,
“attributes”: {
“error”: “Invalid token”
}
}

Even if my bearer token is good

curl -X GET
https:///api/v2/users/auth|7C5da4e39…
-H ‘Cache-Control: no-cache’
-H ‘Connection: keep-alive’
-H ‘Cookie: did=s%3Av0%3Ab1c73020-eec5-11e9-8b08-0b53a7bca7b8.OSqrSY17xzwAfRRssMMfn75F9wLg3PlhP190Lr%2BEfnY; did_compat=s%3Av0%3Ab1c73020-eec5-11e9-8b08-0b53a7bca7b8.OSqrSY17xzwAfRRssMMfn75F9wLg3PlhP190Lr%2BEfnY’
-H 'Host: ’
-H ‘Postman-Token: 5346e142-29c6-4121-a734-0e96e811fe2b,e98fa9c9-8351-42da-b5cd-6d6c55e121d2’
-H ‘accept: application/json, text/plain, /
-H ‘accept-encoding: gzip, deflate’
-H ‘accept-language: en-US’
-H 'authority: ’
-H ‘authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlF6TTNOe…’
-H ‘cache-control: no-cache’
-H 'origin: http:///
-H ‘referer: http:///’
-H ‘user-agent: Mozilla/5.0 (Linux; Android 7.1.1; Android SDK built for x86 Build/NYC; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Mobile Safari/537.36’
-H ‘x-devtools-emulate-network-conditions-client-id: ef416d8b-3431-4082-8404-526922792185’
-H ‘x-requested-with: io.ionic.starter’

I tried the same curl request with a test token (Api Explorer token) and it works.

Here is my decoded token :

{
  "nickname": "my-user123",
  "name": "email@foo.com",
  "picture": "https://s.gravatar.com/avatar/54a23f45c8b6917cdf0ac34e3f744260?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fma.png",
  "updated_at": "2020-01-28T20:57:16.661Z",
  "iss": "https://<my-tenant>.eu.auth0.com/",
  "sub": "auth0|5da4e39.....",
  "aud": "V3KIiCrLgZlqO....",
  "iat": 1580245282,
  "exp": 1580245352
}

Do you have any idea ?

thanks

Hello @saytaine,

Your decoded token example looks like an ID token, where you will want to use an access token to talk to the management API. I suspect that is why you are seeing the 401. The bearer token should be an access token.

Thanks for you reply.
Here is my auth result after authentication :

accessToken : "5NbbWxHHhIA1-lzsg0VH_JhNdl1adojn"
expiresIn : 86400
idToken :  "eyJhbGciOiJ...................ddjsQveOiVGTQEsJqe6ivAQ"
refreshToken: "8234mO7....E8wyLrEWGz"
scope: "openid profile offline_access"
tokenType : "Bearer"

I tried with my accessToken, but if I use this acessToken as a Bearer token it doesn’t work. I can’t decode this accessToken on jwt.io.
The generated test token doesn’t look like the accessToken I got : it’s way longer than 33 chars.
Even after I refreshToken call, my accessToken is short and unusable.

Maybe I did something wrong and this accesToken is not correctly generated ?

thank you

@markd Can you tell me what audience I shoul put to access to this endpoint ?

Initially, I used https://<my-tenant>/userinfo as audience, but in the test token, the audience was https://<my-tenant>/api/v2/. I used the same, then after being authenticated, the app asked me to authorize access to profile etc… after that, my access token was normal (starting with ey... and with a lot of chars). Is that the right endpoint to use ?

The audience is an identifier for the API you are trying to talk to. E.g.,

We usually use a string formatted as a URL. It doesn’t have to be formatted that way, but it is a good convention.

https://<my-tenant>/api/v2/ is the audience for your tenant’s Management API.

I tried with my accessToken, but if I use this acessToken as a Bearer token it doesn’t work. I can’t decode this accessToken on jwt.io.
The generated test token doesn’t look like the accessToken I got : it’s way longer than 33 chars.
Even after I refreshToken call, my accessToken is short and unusable.

Is the access token you are using meant for the API endpoint you are calling? An access token can only be used with its intended audience.

Depending on how the access token was created, it may be a JWT or an opaque token. Opaque tokens cannot be decoded at jwt.io because they aren’t JWTs.

2 Likes

Thank you @markd, I think I have the informations I needed.

Let us know @saytaine if you have other questions!

I have the same issue and I have no clue what’s going on…Am using an .net6 MVC app with .net6 web API. The login process is ok and I get back and id token and an opaque access token. I set the audience to the api identifier as mentioned in docs but still get an invalid_token error. here is my api configuration in program.cs:

builder.Services.AddCors(options =>
{
options.AddPolicy(“AllowSpecificOrigin”,
builder =>
{
builder
.WithOrigins(“https://localhost:7171”)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
// Add services to the container.
string domain = $“https://mydomain.auth0.com/”;
string audience = $“https://my.api.identifier/”;
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = audience;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.NameIdentifier,

};

});

I tried many other things as:
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.NameIdentifier,
ValidateAudience = true,
ValidAudiences = new List() { audience },
ValidateLifetime = true
};
But still getting the same error. Is there any way to investigate further?