Auth0 NodeJS JWT authentication in API for mobile app

I’m a beginner in Auth0 and few days ago made iPhone app which use Auth0 login following the tutorial.

It was succeed so I could got accessToken and idToken successfully.
Just after that I tried to create nodejs server for API of that app with Auth0 jwt.

I followed the Auth0 tutorial this time too, and succeed to get 200 response with test access token from Auth0 API.

enter image description here

But my problem is when I request API on iPhone app with token, node server throw an exception.

If I send accessToken it throw UnauthorizedError: jwt malformed, and I found that the mobile accessToken has completely different format than the example accessToken.

UnauthorizedError: jwt malformed
    at /Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/express-jwt/lib/index.js:102:22
    at Object.module.exports [as verify] (/Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/jsonwebtoken/verify.js:63:12)
    at verifyToken (/Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/express-jwt/lib/index.js:100:13)
    at fn (/Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/async/lib/async.js:746:34)
    at /Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/async/lib/async.js:1213:16
    at /Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/async/lib/async.js:166:37
    at /Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/async/lib/async.js:706:43
    at /Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/async/lib/async.js:167:37
    at Immediate.<anonymous> (/Volumes/Work/Work/NodeJS/GeoServer/GeoServer/node_modules/async/lib/async.js:1206:34)
    at runCallback (timers.js:705:18)

And if I send idToken, the malformed exception is gone, but I got another error in this time.

Error: getaddrinfo ENOTFOUND undefined undefined:443
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:57:26)

I’m working this part in several days but haven’t found the solution yet.
Please give me any help to fix this issue.

Following is the node server codes.

import express from 'express';
import jwt from 'express-jwt';
import jwksRsa from 'jwks-rsa';
import cors from 'cors';
import bodyParser from 'body-parser';

const app = express();

    extended: true

const port = 3000

// Create middleware for checking the JWT
const jwtCheck = jwt({
    // Dynamically provide a signing key based on the kid in the header and the singing keys provided by the JWKS endpoint.
    secret: jwksRsa.expressJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
    // Validate the audience and the issuer.
    audience: process.env.AUTH0_AUDIENCE,
    issuer: `https://${process.env.AUTH0_DOMAIN}`,
    algorithms: ['RS256']

const locationHistory: any[] = [];

app.get('/', (req, res) => res.send('Hello World!'))'/api/location', (req, res) => {
    locationHistory.push({latitude: req.body.latitude, longitude: req.body.longitude});

app.listen(port, () => console.log(`API server is listening on port ${port}!`))

Given you mentioned that the application access token has a different format than the test access token it’s likely that the application is not configured to request an access token suitable for the API in question.

You should go through (Auth0 iOS / macOS SDK Quickstarts: Login) if you haven’t done so already, but the short story is that the application needs to request an access token for that API by including an audience parameter (in iOS application would likely be by including a line such as .audience(APIIdentifier)).

Hi @jmangelo Thanks for your help.
Finally I found the issue, that’s just the incorrect audience. There are two Applications - one is Default Native application and one is MTM API application. I was using the old Native application’s audience in iPhone app, that’s why the accessTokens are different format.
Thanks anyway

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.