I’m developing application with NextJS and AWS HTTP API GW as api GW.
I want to create api closed for unauthorized users.
I’ve created HTTP API Gateway on AWS wiht JWT auth, and I’ve successfully created API and app on auth0.
Now, I’m truing to test JWT Auth on API GW and it successfully tested with the token I’v got manually from /oauth/token link.
Now, I’m truing to get the same result, using JWT token from cookie(to be sure that everything is going to work correctly), from the developer console, to be sure that it’ll work correctly, but I stuck with the “Unauthorized” error calling the API.
The error description says that:
Bearer realm=“Users”, error=“invalid_token”, error_description=“The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens”
But I have RS256 as signing method both on API and App.
Here is a request from the browser
Hey there @iktychinin! Welcome to the Auth0 Community.
I’m happy to help you with the issue you’re experiencing. It sounds like you’ve already authenticated into your app but are having issues authorizing access to your API gateway because there are multiple audiences.
If that’s the case, you should set your API gateway as your audience which allows you to implement a single authorization flow. Then you control access to each API behind the gateway using scopes.
Here’s an article that gives more detail on implementation.
To address your question about getting the correct token from the browser:
I put the token you provided in jwt.io to try and get some answers, but it returns an invalid signature error using both RS256 & HS256 algo’s which leads me to believe you’re not pulling the correct value. I’d need to see where you got this token from to further help.
I have a problem with JWT token from developer console from Firefox while testing it with my API and with you api /userinfo.
I have no problem with manually obtained token from /oauth/token link call.
Also I use one audience parameter, as you can see on a screenshot from an original post.
I have only one API GW and only one audience.
Here is a screenshot of a initial login request. There is only one audience parameter.
Thanks, I’ll read that, for better understanding.
I got the token from cookie, from developer console:
I still see the same error. Unauthorized with Bearer realm="Users", error="invalid_token", error_description="The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens"
I’m pretty sure that the last part of a problem is linked with encryption of the token. Either I have to change it somehow, or It’s linked with the way I obtain this token (from the developer console of the web browser). But I have no idea how to move on with these issues.
I’ve escalated this query to another team for a solution for you. The reason why that token isn’t working is because the NextJS SDK is stateful, and behaves like a classical web-app. The tokens are not exposed to the frontend by default.