I have inherited a “single-page app” which uses an Auth0 ID Token to connect to Hasura. I would like to, instead, use an Auth0 Access Token.
I’ve written code to create the Access Token, via the useAuth0 hook from '@auth0/auth0-react’, and added the Access Token pipeline rule in Auth0 config, but Hasura returns “Could not verify JWT: JWSError CompactDecodeError Invalid number of parts: Expected 3 parts; got 5”.
The ID Token continues to work with Hasura without issue.
While I’m not familiar with Hasura myself, I looked this tutorial and judging on the error you’re seeing am guessing it is an issue having to due with than opaque access token. Check out the “create an API” section in that tutorial as it outlines the steps you need to take in order to receive a JWT rather than the aforementioned opaque access token.
Thanks for your reply. Yes, your opaque-vs-JWT-Access–Token idea makes sense. Thanks for a direction for focus.
The tutorial you reference has a lot of Hasura-specific information which confuses the issue slightly - for me, anyway. My perception is I’m doing what tutorial says. Is there a tutorial from Auth0 with a tighter focus on creating a JWT Access Token? If so, great, if not I’ll separate the wheat from the chaff in the Hasura tutorial.
I’ll also raise the question on the Hasura forum.
Thanks again for your reply. I’ll report any discoveries.
For future readers, the trick seemed to be getting the audience working. I didn’t accomplish that but my colleague, having more Auth0-Hasura integration experience, was able to do it. I remain unclear why his code worked but mine did not.
He surmises that deleting our Auth0 Custom API (that’s what specifies the audience) and recreating it was the secret sauce.
There are so many moving parts that I find it unfeasible to nail down a clear path to a solution. But here are two tentative observations:
an ID Token can give API access (e.g. to Hasura) without an audience but a non-“opaque”, i.e. JWT, Access Token requires an audience. Part of my problem was I wanted to get audience working with my ID Token before I converted to Access Token (to be able to quickly roll back to ID Token if necessary). That nicety may present difficulty or worse. I eventually abandoned the idea and went “all in”.
Without the audience you get an “opaque” Access Token rather than a JWT and will get “Expected 3 parts; got 5” from e.g. Hasura.
Again, I state neither of the above with certainty.
What I will say is if you want to convert from accessing an API, e.g. Hasura, via ID Token to accessing it via Access Token, besides modifying the Auth0 “pipeline”, you may have to get audience working (end to end: Auth0, your code, API service) and, if all else fails, try deleting and recreating your Auth0 Custom API.
Note: we were actually able to access Hasura before we set up audience there. They key seemed to be setting up the correct audience our custom in-app Auth0 config code (a React Hook in our case). We set the audience in Hasura later.