Calling /userinfo returns an unauthorized error

Balint_Maschio · April 4, 2017, 2:19pm

I’m getting a strange error while calling the /userinfo endpoint. I populate the header field Authorization with the access_token from the token operation:

GET /userinfo HTTP/1.1
 Host: monrifnet-test.eu.auth0.com
 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5qRkNPVFV5TnpOQk1qQTJRamt6UkVFMlFqazNRMEkwUVRCRVJETkNSakEwTnpFNE5rUkNNUSJ9.eyJpc3MiOiJodHRwczovL21vbnJpZm5ldC10ZXN0LmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNTkwNDk3ODkxNDEyNzc2MTE2MCIsImF1ZCI6Imh0dHBzOi8vbW9ucmlmbmV0LXRlc3QuZXUuYXV0aDAuY29tL2FwaS92Mi8iLCJhenAiOiJESkhLcmhWWTI5bjM2enVDN3RpVFQ5a3luMzQ4bjlmWSIsImV4cCI6MTQ5MTMxNTQxMywiaWF0IjoxNDkxMjI5MDEzfQ.UDzkFrU72nHBqk3YzELYbcW4XOemds91Q54MoUBQ5RcetJobwo7eENrLFP6JlfwNCIR1-XdyZfh0BlyxZlO9HZPaL_Aemxs2BKlFvB_b5BhjoYMtPK-J0-Oz923GzS0yAYg5DrT-rBhP2vXrZLfRtMrdqox-x2D8jBsCd5TFMvbYuo6HXmByCRfwZ9SwQAvZ2pUIntzgY12rfp7NOB6ECqX36PzP2NHwqAlR1WD_WCrl54j4VfnpfZd-6xdaMwV_x_sp08nNFqeMyl0bNcyBlHU6tcJwam5wnmNsfkStgreqdolzHtpLbB-0X82ic0GY-orIJPFzIjuyTw3bqa48vw

but I still get an error:

{"error":"unauthorized","error_description":"invalid credentials"}

Any idea why this happens?

jmangelo · April 5, 2017, 5:38pm

The /userinfo endpoint can be called either with an opaque access token (currently, you could distinguish these because they are represented as 16 characters in length) or with an access token in the JWT format.

When the access token is in the JWT format, the token must list https://[your_account].auth0.com/userinfo as an audience(aud) in order for it to be valid to call the /userinfo endpoint.

The access token you’re using does not meet this requirement as it only lists https://[your_account].auth0.com/api/v2/ as a valid audience. When you specify an audience parameter for an endpoint other than the user information one, you need to consider that /userinfo will only be included as an additional audience if the following occurs:

the API specified in the audience parameter does not use HS256 as the signing algorithm.
you specify a scope parameter that includes openid.

In your scenario it seems that you made a request that satisfied the first point as the Management API uses RS256, but you may have not provided a scope parameter that included openid.

sebastianpatinolang · February 27, 2018, 1:21am

Spot on! Solved my problem. thx → added ‘openid’ to scope worked

Topic		Replies	Views
Right way to call userinfo Get Help userinfo , access-token , token-endpoint , authorize-endpoint	2	13198	March 2, 2018
/userinfo API returns 401 Unauthorized JWT.io auth0 , api	6	2416	May 27, 2023
The /userinfo endpoint returns 401 (Unauthorized) Get Help lock , api , userinfo , audience	12	24765	January 9, 2023
401 on /userinfo Get Help	4	7364	September 3, 2019
Not able to access /userinfo from created API Get Help access-token-userinf	5	5972	March 2, 2018

Calling /userinfo returns an unauthorized error

Related topics