I’m trying to use an access token generated by the getAccessToken
function but for some reason its returning a jwt without a payload
Here’s my handler code
// app/api/auth/[auth0]/route.js
import { handleAuth, handleLogin } from '@auth0/nextjs-auth0';
export const GET = handleAuth({
login: handleLogin({
authorizationParams: {
audience: 'https://anonymized.us.auth0.com/userinfo', // or AUTH0_AUDIENCE
// Add the `offline_access` scope to also get a Refresh Token
scope: 'openid profile email offline_access read:products' // or AUTH0_SCOPE
}
})
});
And heres where I want to consume it
import { getAccessToken, getSession } from '@auth0/nextjs-auth0';
export async function POST(req) {
const { accessToken } = await getAccessToken({
scopes: ["offline_access"]
});=
const options = {
headers: { Authorization: `Bearer ${accessToken}` },
method: "POST"
}
const url = `${process.env.LMS_URL}/login_refresh`
let loginResponse = await fetch(url, options)
return loginResponse
}
For some reason the jwt has no payload, I also made sure that I was passing the audience when logging in
sorry for the tags, I can’t seem to find the proper tags for the help board
tyf
September 16, 2023, 12:28am
2
Hey @diego.diaz !
diego.diaz:
// app/api/auth/[auth0]/route.js
import { handleAuth, handleLogin } from '@auth0/nextjs-auth0';
export const GET = handleAuth({
login: handleLogin({
authorizationParams: {
audience: 'https://anonymized.us.auth0.com/userinfo', // or AUTH0_AUDIENCE
// Add the `offline_access` scope to also get a Refresh Token
scope: 'openid profile email offline_access read:products' // or AUTH0_SCOPE
}
})
});
You shouldn’t be passing the /userinfo
url as an audience, it will automatically be added to access tokens. I believe with the current set up the authorization server is just ignoring the audience
param altogether so you’re receiving an opaque token , thus the empty payload.
You’ll want to pass in the identifier/audience of your API you registered in Auth0 instead.
More on the audience param can be found here:
Question: What is the Audience?
Answer:
The audience parameter exists as part of the OAuth2.0 protocol. You can read more information from the specification here .
What is it?
The audience (presented as the aud claim in the access token) defines the intended consumer of the token.
This is typically the resource server (API, in the dashboard) that a client (Application) would like to access.
It can be added to the request to authorize i.e. audience: 'https://test-api'
Here is an example where …
Aside from that, everything looks good!
system
Closed
September 30, 2023, 12:29am
4
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.