Bad audience status 401 when trying to get user informations by token

Hey Community !
I’m tryna set up an auth0 login in my spa angular application.
Everything working fine, my express backend is secured etc.
But now, i’m trying to get user’s informations in backend with token. Here is my code :

  var options = {
    method: 'GET',
    url: 'https://dev-qqws1971.auth0.com/api/v2/users/USER_ID', //am I using the wrong endpoint? 
    headers: {authorization: `Bearer ${token}`},
  };
  request(options, function (error, response, body) {
    if (error) throw new Error(error);
  
    console.log(body);
  });
}```

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Bad audience: http://localhost:3000/api https://dev-qqws1971.auth0.com/userinfo”}

I don’t know what to do, creating this authentification is taking me way too much time, i’m getting a lot of errors with auth0, I just wanna identify my user with it’s token in back-end. What should I change ? Thanks !

The endpoint you’re calling is part of the Auth0 Management API and the access token you have is only valid to your own API (identifier by http://localhost:3000/api) and the user information endpoint (identified by https://dev-qqws1971.auth0.com/userinfo).

With that access token you would be able to call the user information endpoint instead of the Management API (see reference docs for user info at https://auth0.com/docs/api/authentication#get-user-info).

Have in mind that the user information endpoint will only return the subset of user information (profile) to which the access token grants access to (it will depend on the OIDC scopes requested originally).

Hello ! Thanks for your answer,
My goal is just to get the user infos in the backend with the token, including the user ID for my database.
So here are my questions :

  • How to get user’s unique id (google id,…) with the access token in the backend
  • and why Can’t I use userinfo endpoint (following screen)

    Thank you ! Have a nice day

The user identifier should be included in the access token itself as for custom API (API’s you defined in your own dashboard) the access token issued will be a JWT so after validating the JWT you can trust the information contained within and the sub claim should point to the user identifier within the Auth0 service (assuming the access token was obtained through an end-user based flow).

For the second point, that value you’re passing as the access token does not seem correct from the perspective it does not seem to be a JWT and from your previous message if were having an audience related error then this would suggest the use of JWT.

Hello ! For the second question I asked, what should I do to correctly use the userinfo endpoint ? The token is the access token I’ve got in the frontend,
For the first question, do you have any example getting the user’s informations including the unique id (provider id) in the backend? Or what manipulation should I do ?
Getting the provider id and informations in the backend is the last thing I need from auth0 and I truly can’t achieve that for the moment.
Thanks for your fast answers,
King Regards

After re-reading this I’d like to clarify :wink:
So here is the thing :
My user logs in the front-end (spa angular).
In express (nodejs backend) I get the token. With this acess token I wanna get his informations (name, pic url, SUB : provider id).
How can I do that ?

On the latest screen I’m trying to give the access_token (which worked in my api to let my user access private data) and I get an error (why ? what did I do wrong ?).

Thank you !

I understand that you may have a lot of questions, but someone who is trying to troubleshoot this from the outside will also have be pretty much in the same boat in terms of number of questions… so lets try to get some basics covered.

What’s the length (in number of characters) of the access token you’re obtaining in the frontend? If you’re sure the access token is a JWT then you can go to jwt.io and decode it; after doing that grab the header and payload section and share it here. You can redact certain information within the token if you’re not using a fake user, but ideally you should use a completely fake user and not worry about disclosing information like email address and others.