Empty Payload in Access Token with Next.js

collin1 · May 25, 2023, 2:29pm

Hello, I’m using Auth0 to allow users to login with Google SSO in a nextjs application. I need to validate the user with the backend of the application. That being said, auth0 is returning an opaque access token even though I have included https://{tenant}.auth0.com/api/v2/ as the AUTH0_AUDIENCE .env variable (which is in turn being included as a query param to the /authenticate endpoint). How can I ensure that the payload of the JWT is not empty?

Here’s the code that I’m using to parse the access token on the backend:

export async function getUser() {
  const sessionCookies = await cookies();
  const token = sessionCookies.get('appSession');
  if (token == null) {
    redirect('/api/auth/login');
  }
  return jwt.decode(token['value'], process.env.AUTH0_CERT);
}

This function returns null because the JWT payload is empty.

Collin

tyf · May 25, 2023, 9:36pm

Hi there @collin1 welcome to the community!

Do you mind grabbing a sample access token, pasting it in jwt.io and sharing the result here? Please redact any sensitive information.

Thanks!

collin1 · May 26, 2023, 12:06pm

Sure thing. Here’s a link.

tyf · May 26, 2023, 11:09pm

Hey thanks @collin1!

That looks to be an opaque token like you mentioned - Are you positive an audience param is getting passed?

collin1 · May 27, 2023, 2:04pm

Yes.

https://dev-aoeuaoeuaoeuaoeu.us.auth0.com/authorize?client_id=aoeuaoeuaoeuaoeuaeou&scope=openid%20profile%20email&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback&audience=https%3A%2F%2Fdev-aoeuaoeuaoeuaoeu.us.auth0.com%2Fapi%2Fv2%2F&nonce=aoeuaoeuaoeuaoeuaoeu&state=aoeuaoeuaoeuaeouaoeu&code_challenge=aoeuaoeuaoeuaoeuaeou&code_challenge_method=S256

collin1 · May 31, 2023, 3:01pm

Just following up - any thoughts on what may be causing this issue?

Collin

rueben.tiow · June 1, 2023, 12:55am

Hi @collin1,

Thank you for your response. I am following up for @tyf.

I have just tested getting an Access Token with Next.js and did not experience any issues.

To investigate this issue further, could you please provide me the exact /authorize URL request you made and send it to me via direct messages?

For the moment, the URL you shared in this reply has obfuscated your tenant name. I would like to make sure that the request and your tenant settings are correct.

Thanks,
Rueben

collin1 · June 1, 2023, 1:51pm

Thanks, Rueben. I just sent over a message.

collin1 · June 5, 2023, 3:50pm

Hey all - just following up here.

collin1 · June 12, 2023, 2:10pm

Hey all - following up again

collin1 · June 14, 2023, 3:34pm

Last time following up. We won’t be able to use Auth0 as an authentication provider if this isn’t resolved.

rueben.tiow · June 19, 2023, 3:43pm

Hi @collin1,

Thank you for your updates. I have responded in our direct messages together with the provided solution. I am going to share the solution with the rest of the Community.

In essence, whenever the audience parameter is omitted in the login request, the token generated will be opaque. To get a JWT access token you must pass an audience parameter in the login request. For more information, I recommend reading our Get Access Tokens documentation.

For clarity, the /authorize request should look something like the following:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope={scope}&
    audience={apiAudience}&
    state={state}

(Reference: Call Your API Using the Authorization Code Flow)

I hope this helps!

Thanks,
Rueben

collin1 · June 19, 2023, 5:57pm

Hey Rueben - I have already confirmed that, please read the above messages and our private thread. I have started implementing frontegg and will move forward with their product if we are unable to resolve this issue before I finish.

Collin

rueben.tiow · June 21, 2023, 1:42am

Hi @collin1,

Thanks for the reply!

I have just followed up with another response through our direct messages conversation.

diego.diaz · September 15, 2023, 9:48pm

Were there any updates regarding this? I’m running into the same issue

tyf · May 20, 2024, 4:48pm

A post was split to a new topic: Missing Payload in Access Token with Next.js

alex.brett · November 20, 2024, 8:56pm

Just a quick update on this case.

The issue was that the application was not granted access to the Management API. In most cases, if the token is opaque, then there was no audience passed into the call. Here is some documentation describing this.

I hope this helps!

Best,
Alex

system · December 4, 2024, 8:57pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Empty Payload in Access Token using Next.js Get Help nextjs-auth0 , sdks-quickstarts	2	300	May 20, 2024
Nextjs13 Auth0 accesstoken missing the JWT Payload Get Help	0	719	July 19, 2023
Can't get access token with nextjs-auth0 with the audience set Get Help login-experience , new-universal-login-experience	2	4794	September 16, 2023
Payload in access token is empty after google sing in by Auth0 Get Help management-api , users	2	2170	April 4, 2023
No payload for Access Token with @auth0/nextjs-auth0 version 4.4.2 Get Help apis , application	3	33	April 15, 2025

Empty Payload in Access Token with Next.js

Related topics