Confusions about required Authentication even with Bearer on board

i hope you can help. I like to use auth0 service with oidc flavor.

My situation is the following:

  • Node 12 App with Express Rest API and express-openid-connect on heroku
  • Angular Frontend with @auth0/auth0-angular

It’s seems that the login process over the frontend is working because the http interceptor attached the bearer token to the request which is send to api but sadly i get the response that its forbidden.

{"errors":[{"message":"Authentication is required for this route."}]}

Of course, i like secure the route f.e. “/api/v1/users/me” with middleware method “requiresAuth()” of the express-openid-connect package in the first place. But i can’t figure what i’m doing wrong.

I guess it’s not the frontend because a correct Bearer (guess too) is attached.
The Backend might wants to strictly like to login with oidc package login method? i don’t know…

Any ideas of you guys?

Hi @webben-de,

Welcome to the Community!

Here are a couple questions to help with troubleshooting:

  • Just to clarify, requests made by the Angular app have an Authorization header with the Access Token used as the Bearer token, correct?

  • Within the Angular app, are you using the API Identifier as the audience in the AuthModule.forRoot configs?

  • Have you tried decoding the Access Token at

  • If you try logging the bearer token in the Node API, does it look like it is making it in the request?

  • Are you using the Node (Express) API Quickstart as an example for your API?


firstly thanks for the response. But i guess i had a knot in my head about architecture of the app/api/auth.

But to answer at least your question

  1. Yes the Bearer attached
  2. The audience is in the AuthModule Config is correct
  3. Decode of the attached bearer seems good
  4. => Solution: This was also the solution for my mind. Honestly i was not sure about the oidc topic at all. So the whole backend implemtation did not make any sense because i dont auth the user via my backend via the mentioned oidc express middleware instead “just” have to check the bearer which is already attached to the request and get ride of the oidc stuff in the backend. I then used GitHub - auth0/express-jwt-authz: Validate the JWT scope to authorize access to an endpoint to secure the root like i wanted.
  5. I read a lot of Quickstart and Tutorials perhabs i read also this.
1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.