Auth0-js returns jwt_invalid when attempting to get token for API

Hello,

I am using auth0-js for authentication on my website. I am trying to integrate a new API on the site which I need to be accessible only by authenticated users.

To start, I have set up an API in the auth0 dashboard.

Next, I am following the information in this article which indicates that I can acquire an access token for a “different API than the one used when initializing” (I am using /api/v2/ during initialization).

    const apiToken = auth.checkSession(
      {
        audience: "<MY_NEW_API_AUDIENCE>",
      },
      function(err, authResult) {
        console.log(err);
      }
    );

I am getting the following error:

{
  "error": "jwt_invalid",
  "error_description": "Invalid token provided"
}

There doesn’t seem to be clear documentation about authenticating for a second API (audience) using the auth0-js SDK. If anyone could provide guidance it would be very appreciated.

Hi @amos and thanks for reaching out to the Auth0 Community!

From the documentation you’ve linked it looks like you need to include the necessary scopes when making that checkSession() call to your additional API. Have you already attempted to add scopes and if so did you still get a jwt_invalid error?

Best Regards,
Colin

1 Like

Hi @colin.coutts, thank you for the response.

Per your advice, I tried adding scopes to the checkSession() call. I created a scope via “Permissions” tab on the API dashboard for testing purposes, called access:api. Prior to this I did not have any scopes associated with this API. Are scopes always needed?

Updated Code Snippet:

    const apiToken = auth.checkSession(
      {
        audience: "<MY_NEW_API_AUDIENCE>",
        scope: "access:api",
      },
      function(err, authResult) {
        console.log("Error Authenticating API.");
        console.log(err);
      }
    );

I am now getting a new error:

{
  "original": {
    "error": "consent_required",
    "error_description": "Consent required"
  },
  "code": "consent_required",
  "description": "Consent required",
  "error": "consent_required",
  "error_description": "Consent required"
}

My understanding was that the consent was obtained with my original auth0.WebAuth, which is the auth variable in the snippet.

Can you provide any additional advice given this new error?

Hi @amos

Dos your API have Allow Skipping User Consent enabled in the API dashboard? This setting alone wouldn’t be enough however, it would also require the application calling the API to be “First Party”. More on that can be found here:



If those resources don’t help, please send me your tenant in a DM so I can review your tenant configuration and see if I can provide any further feedback.

Best,
Colin

Hey @colin.coutts,

Yes, my API shows that Allow Skipping User Consent is enabled in the dashboard.

In the documentation you sent, I see that:

By default, applications registered in Auth0 are first-party applications.

I also read that:

localhost is never a verifiable first-party

I am currently testing my application via a localhost port. Could this be why I am getting "error": "consent_required" when I attempt to checkSession?

I see that there is a work around listed involving the /etc/hosts file in this doc but that doesn’t seem like an ideal solution.

Looking deeper, I am inclined to believe that part of the problem was testing on localhost.

Testing the above code in my production environment, I no longer get the consent_required error.

Instead, I get two other issues:

  • In Safari, I get a login_required error, which is likely due to the known cookie issue.

  • In Firefox/Chrome checkSession() is returning null.

The Firefox/Chrome issue leads me to believe there is still a problem with my setup.

I’m hoping to get this working at least in Firefox/Chrome and then go forward with using a custom domain for support in Safari. Please let know know if you have any insight into the null return.