Hello everyone,
I’m having an issue setting up an application in Auth0 for access to an API from AWS AppSync. If I create a test token in the dashboard, it works, but not with my real users.
There are no restrictions on the AppSync side at the moment except for the issuer, which is the same in both cases. According to their documentation, they do a match on the iss attribute. I do not have client ID or TTL restrictions set up.
I am taking the access token generated by the Next.js library, and I have specified the audience, which matches the test credentials.
This works (test from Auth0 console):
{
"sub": "xxxxxxxxxxxxxxxxxxx@clients",
"aud": "https://APPSYNC-URL",
"azp": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"iss": "https://AUTH0_DOMAIN.us.auth0.com/",
"exp": 1734123712,
"iat": 1734037312,
"gty": "client-credentials"
}
This doesn’t (copied from accessToken attribute of getSession()):
{
"iss": "https://AUTH0_DOMAIN.us.auth0.com/",
"sub": "google-oauth2|xxxxxxxxxxxxx",
"aud": [
"https://APPSYNC-URL",
"https://AUTH0_DOMAIN.us.auth0.com/.well-known/openid-configuration"
],
"iat": 1734075727,
"exp": 1734162127,
"scope": "openid profile email",
"azp": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
I’m only getting this response in the logs, which isn’t very useful. I am testing from the AWS Console, not through code at the moment, so it cannot be a code issue.
{x-amzn-ErrorType=UnauthorizedException}
I noticed the test credentials don’t have scope, but that seems normal. The client generated tokens don’t have gty, but that also makes sense as they are for a user, not a client.
Any ideas?