We try to use “user info” instead of legacy “token info”
https://auth0.com/docs/api/authentication?http#user-profile
But it always returns “unauthorized” even though the access token is verified.
We use Lock 10 Widget with the following settings to get scope set to “openid”
auth : {
responseType : "token",
redirect : false,
params : {
scope : "openid"
}
}
I could not reproduce this situation, the 401 - Unauthorized, unless I provided an incorrect access token.
Based on your usage of Lock I would assume the access token you’re using is an opaque access token, around 16 characters, but can you confirm this situation.
In addition, it may be useful to update the question with the exact contents of the WWW-Authenticate response header you get along with the 401.