Empty Payload in Access Token with Next.js

Hello, I’m using Auth0 to allow users to login with Google SSO in a nextjs application. I need to validate the user with the backend of the application. That being said, auth0 is returning an opaque access token even though I have included https://{tenant}.auth0.com/api/v2/ as the AUTH0_AUDIENCE .env variable (which is in turn being included as a query param to the /authenticate endpoint). How can I ensure that the payload of the JWT is not empty?

Here’s the code that I’m using to parse the access token on the backend:

export async function getUser() {
  const sessionCookies = await cookies();
  const token = sessionCookies.get('appSession');
  if (token == null) {
    redirect('/api/auth/login');
  }
  return jwt.decode(token['value'], process.env.AUTH0_CERT);
}

This function returns null because the JWT payload is empty.

Collin

Hi there @collin1 welcome to the community!

Do you mind grabbing a sample access token, pasting it in jwt.io and sharing the result here? Please redact any sensitive information.

Thanks!

Sure thing. Here’s a link.

Hey thanks @collin1!

That looks to be an opaque token like you mentioned - Are you positive an audience param is getting passed?

Yes.

https://dev-aoeuaoeuaoeuaoeu.us.auth0.com/authorize?client_id=aoeuaoeuaoeuaoeuaeou&scope=openid%20profile%20email&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback&audience=https%3A%2F%2Fdev-aoeuaoeuaoeuaoeu.us.auth0.com%2Fapi%2Fv2%2F&nonce=aoeuaoeuaoeuaoeuaoeu&state=aoeuaoeuaoeuaeouaoeu&code_challenge=aoeuaoeuaoeuaoeuaeou&code_challenge_method=S256

Just following up - any thoughts on what may be causing this issue?

Collin

Hi @collin1,

Thank you for your response. I am following up for @tyf.

I have just tested getting an Access Token with Next.js and did not experience any issues.

To investigate this issue further, could you please provide me the exact /authorize URL request you made and send it to me via direct messages?

For the moment, the URL you shared in this reply has obfuscated your tenant name. I would like to make sure that the request and your tenant settings are correct.

Thanks,
Rueben

Thanks, Rueben. I just sent over a message.

Hey all - just following up here.

Hey all - following up again

Last time following up. We won’t be able to use Auth0 as an authentication provider if this isn’t resolved.

Hi @collin1,

Thank you for your updates. I have responded in our direct messages together with the provided solution. I am going to share the solution with the rest of the Community.

In essence, whenever the audience parameter is omitted in the login request, the token generated will be opaque. To get a JWT access token you must pass an audience parameter in the login request. For more information, I recommend reading our Get Access Tokens documentation.

For clarity, the /authorize request should look something like the following:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope={scope}&
    audience={apiAudience}&
    state={state}

(Reference: Call Your API Using the Authorization Code Flow)

I hope this helps!

Thanks,
Rueben

Hey Rueben - I have already confirmed that, please read the above messages and our private thread. I have started implementing frontegg and will move forward with their product if we are unable to resolve this issue before I finish.

Collin

Hi @collin1,

Thanks for the reply!

I have just followed up with another response through our direct messages conversation.

Were there any updates regarding this? I’m running into the same issue

A post was split to a new topic: Missing Payload in Access Token with Next.js

Just a quick update on this case.

The issue was that the application was not granted access to the Management API. In most cases, if the token is opaque, then there was no audience passed into the call. Here is some documentation describing this.

I hope this helps!

Best,
Alex