I’m using Auth0 SSO flow for user authentication which is working perfectly fine. After the login call-back, when I try to fetch additional user details using the Management API, I get a 401 unauthorized Bad Audience error as a response.
However, it works fine if I use the system Auth0 Management API as the audience while creating the token. I also tried with the token generated using the custom API as the audience in the API explorer and it has the same error.
The test tab in the Auth0 dashboard API detail page provides some code to generate tokens and access the APIs. Since I am not able to access the management APIs please let me know if I am doing something wrong. What other APIs can be accessed with this token if not management APIs?
Adding the code I tried below:
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => "https://{tenant}.auth0.com/oauth/token",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"client_id\":\"{client_id}\",\"client_secret\":\"{client_secret}\",\"audience\":\"{my_new_custom_domain}\",\"grant_type\":\"client_credentials\"}",
CURLOPT_HTTPHEADER => array(
"content-type: application/json"
),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
This code successfully returns the token which I can validate using jwt.io
I tried with https://{tenant}.auth0.com/api/v2/users/{user_id} for the path_to_your_api.
However, when I use this token for the management API, I am getting a 401 error response.
{"statusCode":401,"error":"Unauthorized","message":"Bad audience: <my_new_custom_domain>"}