Calling /userinfo returns an unauthorized error

Balint_Maschio · April 4, 2017, 2:19pm

I’m getting a strange error while calling the /userinfo endpoint. I populate the header field Authorization with the access_token from the token operation:

GET /userinfo HTTP/1.1
 Host: monrifnet-test.eu.auth0.com
 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik5qRkNPVFV5TnpOQk1qQTJRamt6UkVFMlFqazNRMEkwUVRCRVJETkNSakEwTnpFNE5rUkNNUSJ9.eyJpc3MiOiJodHRwczovL21vbnJpZm5ldC10ZXN0LmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwNTkwNDk3ODkxNDEyNzc2MTE2MCIsImF1ZCI6Imh0dHBzOi8vbW9ucmlmbmV0LXRlc3QuZXUuYXV0aDAuY29tL2FwaS92Mi8iLCJhenAiOiJESkhLcmhWWTI5bjM2enVDN3RpVFQ5a3luMzQ4bjlmWSIsImV4cCI6MTQ5MTMxNTQxMywiaWF0IjoxNDkxMjI5MDEzfQ.UDzkFrU72nHBqk3YzELYbcW4XOemds91Q54MoUBQ5RcetJobwo7eENrLFP6JlfwNCIR1-XdyZfh0BlyxZlO9HZPaL_Aemxs2BKlFvB_b5BhjoYMtPK-J0-Oz923GzS0yAYg5DrT-rBhP2vXrZLfRtMrdqox-x2D8jBsCd5TFMvbYuo6HXmByCRfwZ9SwQAvZ2pUIntzgY12rfp7NOB6ECqX36PzP2NHwqAlR1WD_WCrl54j4VfnpfZd-6xdaMwV_x_sp08nNFqeMyl0bNcyBlHU6tcJwam5wnmNsfkStgreqdolzHtpLbB-0X82ic0GY-orIJPFzIjuyTw3bqa48vw

but I still get an error:

{"error":"unauthorized","error_description":"invalid credentials"}

Any idea why this happens?

jmangelo · April 5, 2017, 5:38pm

The /userinfo endpoint can be called either with an opaque access token (currently, you could distinguish these because they are represented as 16 characters in length) or with an access token in the JWT format.

When the access token is in the JWT format, the token must list https://[your_account].auth0.com/userinfo as an audience(aud) in order for it to be valid to call the /userinfo endpoint.

The access token you’re using does not meet this requirement as it only lists https://[your_account].auth0.com/api/v2/ as a valid audience. When you specify an audience parameter for an endpoint other than the user information one, you need to consider that /userinfo will only be included as an additional audience if the following occurs:

the API specified in the audience parameter does not use HS256 as the signing algorithm.
you specify a scope parameter that includes openid.

In your scenario it seems that you made a request that satisfied the first point as the Management API uses RS256, but you may have not provided a scope parameter that included openid.

sebastianpatinolang · February 27, 2018, 1:21am

Spot on! Solved my problem. thx → added ‘openid’ to scope worked

Topic		Replies	Views
Right way to call userinfo Help userinfo , access-token , token-endpoint , authorize-endpoint	2	12717	March 2, 2018
"invalid credentials" calling userinfo Help jwt , api , userinfo	5	4991	June 20, 2020
Invalid credentials when hitting the /userinfo endpoint Help userinfo , invalid-credentials , endpoint	3	6045	March 2, 2018
The /userinfo endpoint returns 401 (Unauthorized) Help lock , api , userinfo , audience	12	24264	January 9, 2023
When call /userinfo API returns Unauthorized Help login-experience , new-universal-login-experience	3	2485	February 9, 2023

Calling /userinfo returns an unauthorized error

Related topics