Authorization Extension's GET /users endpoint returns Internal Server Error (500)


We are facing an issue with the authorization extension in our production tenant, although everything is working fine in our QA tenant.

When invoking the GET /users endpoint, I get 500 Internal Server Error.

In the realtime webtask logs I see the output below. It seems to me that the Authorization Extension is trying to invoke the Auth0 Management API but with incorrect credentials. I don’t know where it is getting the client ID “F4T52F8R1g2JoSDgy7xLK91nJHunGv6u” from. There is no application with this client ID in our tenant.

When I look at the logs in our QA tenant, where it works without error, I can see that the client ID being used here is the one belonging to the “auth0-authz” application. But in the production tenant the client ID showing up in the logs does NOT match the “auth0-authz” application.

So the problem seems to be that for some reason the authorization extension in our production tenant is using an incorrect client ID to connect to the Auth0 Management API. But I don’t know why this is happening or how to fix it. We have already tried reinstalling the authorization extension.

Any help would be greatly appreciated.

Here is the log output:

3:45:36 PM: new webtask request 1553283936929.565623
3:45:37 PM: 2019-03-22T19:45:37.504Z - info: Starting Authorization Extension - Version: 2.6.1
3:45:37 PM: 2019-03-22T19:45:37.505Z - info: > WT_URL: (snip)
3:45:37 PM: 2019-03-22T19:45:37.505Z - info: > PUBLIC_WT_URL: (snip)
3:45:37 PM: 2019-03-22T19:45:37.956Z - info: Initializing the Webtask Storage Context.
3:45:38 PM: 190322/194538.151, [log,info] data: Hapi initialization completed.
3:45:38 PM: (node:6) [DEP0022] DeprecationWarning: os.tmpDir() is deprecated. Use os.tmpdir() instead.
3:45:38 PM: 2019-03-22T19:45:38.240Z - error: Invalid credentials for F4T52F8R1g2JoSDgy7xLK91nJHunGv6u
3:45:38 PM: 190322/194538.241, [log,error] data: Request: GET /api/users
3:45:38 PM: 190322/194538.242, [log,error] data: Response: {
"name": "ManagementApiError",
"code": "unauthorized",
"message": "Invalid credentials for F4T52F8R1g2JoSDgy7xLK91nJHunGv6u",
"status": 401,
"isBoom": true,
"isServer": true,
"data": null,
"output": {
"statusCode": 500,
"payload": {
"statusCode": 500,
"error": "Internal Server Error",
"message": "An internal server error occurred"
"headers": {}
3:45:38 PM: finished webtask request 1553283936929.565623 with HTTP 500 in 1319ms
3:45:38 PM: 190322/194538.156, [error] message: Invalid credentials for F4T52F8R1g2JoSDgy7xLK91nJHunGv6u stack: ManagementApiError: Invalid credentials for F4T52F8R1g2JoSDgy7xLK91nJHunGv6u
at /data/_verquire/auth0-extension-hapi-tools/1.0.0/node_modules/auth0-extension-tools/src/auth0/managementApi.js:24:25
at Request.callback (/data/_verquire/auth0-extension-s3-tools/1.1.1/node_modules/superagent/lib/node/index.js:631:3)
at /data/_verquire/auth0-extension-s3-tools/1.1.1/node_modules/superagent/lib/node/index.js:795:18
at IncomingMessage.<anonymous> (/data/_verquire/auth0-extension-s3-tools/1.1.1/node_modules/superagent/lib/node/parsers/json.js:16:7)
at emitNone (events.js:111:20)
at IncomingMessage.emit (events.js:208:7)
at endReadableNT (_stream_readable.js:1064:12)
at _combinedTickCallback (internal/process/next_tick.js:138:11)
at process._tickDomainCallback (internal/process/next_tick.js:218:9)
3:45:38 PM: 190322/194538.156, [response] socket:/data/io/port.sock: get /api/users {"q":"","field":"","per_page":100,"page":0} 500 (94ms)
1 Like

As you mentioned the cause of the error is clear (incorrect credentials), but the reason for the extension to get into that situation may be more elusive.

In your situation here’s a few things I would try given that you already mentioned that re-installing the extension is feasible.


  1. uninstall the extension.
  2. ensure that there is no client application named auth0-authz; if there is one and you’re confident that it’s not being used for anything else besides the extension, delete it.
  3. install the extension.
  4. open the browser tools and go to the network tab.
  5. click the settings button for the extension and in the network tab select the GET request to /adf6e2f2b84784b57522e3b19dfc9201?decrypt=true.
  6. in the preview section expand the secret and take note of the value associated with AUTH0_CLIENT_ID.
  7. go to the application section and check the client identifier associated with the auth0-authz application that should have been newly created by the extension install process.

If both client identifier match complete the same process that previously was leading to the error; if the error persists then sharing the following information may be useful:

  • the full URL to the /adf6e2f2b84784b57522e3b19dfc9201?decrypt=true request you inspected.
  • the full URL used to access the extension through the dashboard.
  • the full URL used in direct (HTTP) calls that are performed to the extension API (for example, from rules or from your own HTTP clients).

Sharing the URL will disclose the exact tenant name so you may replace the tenant name with a placeholder, however, be consistent and replace it the same placeholder in all shared URL’s. Also, only replace the tenant name and not the full domain name.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.