Client get 401 when calling to API

p.jankowski92 · November 14, 2017, 5:08pm

I cannot make any authenticated call to API from client, as a client im using example:
https://auth0.com/docs/quickstart/spa/angular2/03-calling-an-api
On backend side i implemented only this part of code:

@EnableWebSecurity   
@Configuration
 public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        JwtWebSecurityConfigurer
                .forRS256(apiAudience, issuer)
                .configure(http)
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/not-secured").permitAll()
                .anyRequest().authenticated();
    }

When im pinging not-secured path everything is working.
Im sure my apiAudience and issuer properties have correct values.
ApiExplorer and TestClient works as expected.
As a scope im using: scope: ‘openid profile’
Both client and use RS256
/userInfo endpoint works as expected

Anyone has a clue what im i doing wrong?

Update:

Here is my apiAudience and issuer vars on backend.

private String apiAudience = "https://p-jankowski.eu.auth0.com/api/v2/";
private String issuer = "https://p-jankowski.eu.auth0.com/";

And here is a payload of token im getting from auth0:

{
  "iss": "https://p-jankowski.eu.auth0.com/",
  "sub": "google-oauth2|114536956276415376017",
  "aud": 
    "https://p-jankowski.eu.auth0.com/api/v2/",
    "https://p-jankowski.eu.auth0.com/userinfo"
  ],
  "iat": 1510758445,
  "exp": 1510765645,
  "azp": "AqlWzMWC9t6eAQ0IWR1FYhnYpVJnIaZn",
  "scope": "openid"
}

Seems like everything should be working fine, but it doesn’t, I’m not sure what i missed in docs.

jmangelo · November 14, 2017, 7:21pm

In addition to making sure that the audience values are correct at the API level you also need to ensure that the client application performs an authentication/authorization request that includes an audience parameter with a value matching the one associated with your API.

The above may not be a definitive answer, however, based on the information provided is hard to point to the root cause. Ideally you should provide the API audience you’re using and the payload section of the JWT access token the client application is sending to the API (you can redact any custom claims withing the payload and also redact your Auth0 domain name).

p.jankowski92 · November 15, 2017, 11:27pm

First of all thank you for your reply @jmangelo I updated the question wit more info

p.jankowski92 · November 15, 2017, 11:27pm

First of all thank you for your reply @jmangelo I updated the question wit more info

jmangelo · November 17, 2017, 12:19am

The token does contain the audience you are requiring; the only thing weird is that you’re using https://p-jankowski.eu.auth0.com/api/v2/ audience which is associated with the Auth0 Management API and as such should not be used to represent your own API, however, technically for the issue at hand that does not seem the explanation. In addition, I don’t know for certain but given the token only has the openid scope if the API is making additional requirements on scopes then this could be an issue.

p.jankowski92 · November 19, 2017, 9:04am

Found the issue,
All i had to do is add one line in SecurityConfig in api

  .antMatchers(HttpMethod.OPTIONS).permitAll()

Thanky you @jmangelo for your time and help