Auth Not Working for Protected API - Query Param configuration missing? (Angular & Node)

Hey Auth0 Community,

I followed the quickstart guide via Youtube to set up an Angular app to use Auth0. Overall, it was extremely helpful.

My login/logout is working. My route guards are working.

My problem: My API call keeps returning a 401 Unauthorized and I can’t figure out why.

Stack:
Angular Front-End
Node.js (using Express) backend
Mongo DB

My thought: My api call uses a query parameter that comes from a value in a drop down list in my Angular app. I am wondering if query params create an issue with the HTTP_Interceptor for authentication.

I haven’t found anything about this in the community forums or online, but to be honest, I may not be googling the right terms, as I am still pretty new to all of this.

Here are some screen shots to help explain.

Front End

My component calls to my service

image942×191 15.8 KB

I have a service that handles my http calls.

image917×106 12.3 KB

I think all my env, config and module files are set up correctly:

image808×362 11.5 KB

Note: I hardcoded my “allowedList:” property so I could test it, but the “Halo” value is the query param. If I leave it blank, I get the same result. This is where I think the issue is

Backend (Node)

My route is called via my Front end

Jwt file

When everything is served up and I select an item from the drop down and submit, this is what I see in the console

image930×131 9.68 KB

Here is my network calls

image1121×974 73.8 KB

Let me know what you think or if you have questions. Thank you in advance!

Hi @EyeG,

Welcome to the Auth0 Community!

Have you tried to decode the token and see if it has all the necessary claims? You can post it here (with sensitive data redacted) and I’d be happy to take a look.

Hi @dan.woda !

Thanks for responding! I did decode it but to be honest, I am not totally sure what I am looking for once I do decode it.

Here is what I see in the network:

When I decode the Access_Token, here is what I get (not exactly sure what is sensitive v. what is not - but I know I can change some of this stuff if it is sensitive ):

image713×642 31.7 KB

When I decode the id_token

image807×957 49.8 KB

Hope that helps. Thanks your again for responding! Let me know if you have questions.

Does your audience and issuer match the settings you set up in your checkJwt method?

@dan.woda

So here is what I see, not sure if this is right, which may be the issue. I’ll change the configuration of this afterward, so I don’t mind sharing.

Backend files (node)

Env file

check-jwt file

image787×552 22.7 KB

Front End files

Auth_Config.json file

Angular Env file

image1042×436 27.6 KB

Network Calls/Tokens

access_token decoded

image701×651 29.7 KB

id_token decoded

image610×712 37 KB

It looks like your checkJWT method is repeating the https:// and trailing / for your issuer

i.e. https://https://dev-xxxx.us.auth0.com//

@dan.woda

Great idea! I made the changes, but unfortunetly still getting a 401 unauthorized

node env file

jwt file

image800×583 40.2 KB

Does the error give any more information? Usually it will say something like bad audience or invalid issuer

@dan.woda

I didn’t see anything about audience or invalid issuer. At least not yet.

I’ve been trying to debug this morning, but still no luck. It just seems odd that my route guards are working, log in is working, but my API can’t find my token. I

Here are my errors in the conosle.

image1615×805 52.6 KB

For the “error” property", I think this is the stack trace, and I am trying to follow it, but it seems like all the errors are stemming from a node-module.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>UnauthorizedError: No authorization token was found<br> &nbsp; &nbsp;at middleware (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express-jwt\lib\index.js:79:21)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at next (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\route.js:137:13)<br> &nbsp; &nbsp;at Route.dispatch (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\route.js:112:3)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:281:22<br> &nbsp; &nbsp;at Function.process_params (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at Function.handle (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:174:3)<br> &nbsp; &nbsp;at router (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:47:12)<br> &nbsp; &nbsp;at Layer.handle [as handle_request] (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\layer.js:95:5)<br> &nbsp; &nbsp;at trim_prefix (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:317:13)<br> &nbsp; &nbsp;at C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:284:7<br> &nbsp; &nbsp;at Function.process_params (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:335:12)<br> &nbsp; &nbsp;at next (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\express\lib\router\index.js:275:10)<br> &nbsp; &nbsp;at urlencodedParser (C:\Users\gilma\Documents\Dev\QUp\qUpBACKEND\node_modules\body-parser\lib\types\urlencoded.js:91:7)</pre>
</body>
</html>

That error message is helpful.

Can you look at the network tab of devtools, and see if the token is being sent in the request?

You should see an Authorization header with the token. Like this:

image715×280 47.1 KB

@dan.woda

Hmm, it’s not. I don’t really understand why tho. Is it the http interceptor? I’ll google a bit and if I figure it out before you reply, I’ll let you know

Here is the screen shot

image1428×1002 45.4 KB

More I am reading, a few questions come to mind that maybe will help.

1. Is it an issue that I don’t have any permissions/scopes set?

2. For query params, should I use an * at the end of the API end point as a wildcard? (ie: ${env.dev.serverUrl}?game=*)

To be honest, I am not very familiar with Angular httpInterceptors.

I notice in our Angular + API quickstart we have pass an object with additional parameters to the allowed list, as well as a wildcard at the end of the API uri, which I would think makes any request (including query params) valid. Can you try to format it like our example and see if that works?

httpInterceptor: {
    allowedList: [
      {
        // Match any request that starts 'https://dan-woda-testing.auth0.com/api/v2/' (note the asterisk)
        uri: 'https://dan-woda-testing.auth0.com/api/v2/*',
        tokenOptions: {
          // The attached token should target this audience
          audience: 'https://dan-woda-testing.auth0.com/api/v2/',

          // The attached token should have these scopes
          scope: 'read:current_user'
        }
      }
    ]
  }

@dan.woda

Ok, so I got it to work lol. All I did was add the * to the end of the URI. I didn’t add the scope, but maybe I’ll play around with it in the future.

Works like this if I remove everying after the ? (including the question mark).

And it works if I make the actually param a wildcard as well.

I guess the wildcard was the answer. For whatever reason the paramter wasn’t working when I hard coded it

I think I am good now. I definitely appreciate your help! I was banging my head against the wall for a few days there.

Thanks for posting an update.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.