Client Credentials | Making 'Audience' optional

Hi Team,

We’re currently using the client credentials grant to be able to get an access_token through our platform (MuleSoft), and have been following the details here https://auth0.com/docs/flows/concepts/client-credentials. The issue we’re having is that we get the following error:

{
    "error": "access_denied",
    "error_description": "Non-global clients are not allowed access to APIv1"
}

Which is due to the audience param not being sent. Due to us not being able to set this param on the platform, is there a way to work around this?

Thanks,
Karlo

1 Like

Hi @kdiamante,

Can you please post your code with any sensitive info omitted. Thanks!

Hi @dan.woda,

Thanks for replying! The code is actually in Mule, see below:

<http:listener-config name= *"HTTP_Listener_config"* doc:name= *"HTTP Listener config"* doc:id= *"2e95daf0-ac38-4811-a826-92198bce4302"* >

<http:listener-connection host= *"0.0.0.0"* port= *"8081"* />

</http:listener-config>

<http:request-config name= *"HTTP_Request_Configuration"* basePath= *"/api/v2"* >

<http:request-connection host= *"hostname.au.auth0.com"* port= *"443"* >

<http:authentication >

<oauth:client-credentials-grant-type clientId= *"XXXX"* clientSecret= *"XXXX"* tokenUrl= *"https://hostname.au.auth0.com/oauth/token"* />

</http:authentication>

</http:request-connection>

</http:request-config>

<flow name= *"auth0-apiFlow"* doc:id= *"1828ee01-827e-4a83-8872-91f8d7c67951"* >

<http:listener doc:name= *"Listener"* doc:id= *"0877672f-5a75-4aa0-89d8-47cc36bdb2bc"* config-ref= *"HTTP_Listener_config"* path= *"auth0"* />

<logger level= *"INFO"* doc:name= *"Logger"* doc:id= *"42892247-3e37-46d3-b364-c282d980410f"* />

<http:request method= *"GET"* doc:name= *"Request"* doc:id= *"b7628f0d-8509-4751-8f5c-b201d79d704c"* config-ref= *"HTTP_Request_Configuration"* path= *"/users"* />

<logger level= *"INFO"* doc:name= *"Logger"* doc:id= *"30840625-821a-40e2-af62-37864bde0707"* />

</flow>

</mule>

As per the logs, it displays the following HTTP request being sent. Note the payload being sent only contains grant_type. Due to this (ie. not sending the audience field), it gives the aforementioned error.

DEBUG 2020-05-08 18:22:57,251 [[MuleRuntime].uber.03: [auth0-api].auth0-apiFlow.CPU_LITE @2d15ad58] [processor: auth0-apiFlow/processors/1; event: 1f2ba740-9105-11ea-b2a0-88e9fe7f0fbe] org.mule.service.http.impl.service.HttpMessageLogger.oauthToken.requester: REQUESTER
POST /oauth/token/ HTTP/1.1
authorization: Basic XXXXXXXX==
Host: hostname
User-Agent: AHC/1.0
Connection: keep-alive
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

grant_type=client_credentials

Can you not make a POST request with mule? Sorry, I am not familiar with this language.

Hi @dan.woda thanks for asking. Yes you can, however, Mule has an inbuilt connector that has got OAuth functionalities built into it, which I’m trying to leverage. The limitation I’m finding is that the inbuilt functionality does not allow me to put an audience parameter on the payload. Hence, I wanted to know if there’s a way to make this param optional.

The alternative I have, of course, is to do a POST call with the required params. The downside is, I would need to manage the tokens, which the inbuilt functionality already does for me.

I see. I am not exactly sure why audience is required for that error to go away, I think that error is suggesting that you are requesting a token for the management APIv1 which is deprecated.

Thanks, I’m not so sure either. I followed the instructions as per here https://auth0.com/docs/flows/guides/client-credentials/call-api-client-credentials (using the Authentication API Postman collection) and have come to that conclusion.

Are you trying to call a custom API from your mule app?

Hi Dan, not a custom API - I was following what’s on this link https://auth0.com/docs/flows/guides/client-credentials/call-api-client-credentials

A Mule equivalent of the following cURL call
curl --request POST
–url ‘https://YOUR_DOMAIN/oauth/token’
–header ‘content-type: application/x-www-form-urlencoded’
–data grant_type=client_credentials
–data ‘client_id=YOUR_CLIENT_ID’
–data client_secret=YOUR_CLIENT_SECRET
–data audience=YOUR_API_IDENTIFIER

Is this a custom API?

In this example you are getting an access token so a M2M app (presumably your mule app) can call a custom API. The audience parameter lets the token issuer (auth0) know you want to use the access token to call whoever you set as the audience. It is essentially declaring the token consumer.

1 Like

Thanks Dan for all the info - appreciate it. I think this will be my last follow-up question. Are we able to customise the Authentication API in our tenant Auth0 to make the audience parameter optional?

You will not be able to do that. It is a necessary part of the token issuing process, otherwise the token isn’t valid for the API you are trying to call.

2 Likes