Empty Payload in Access Token with Next.js

Help
,
1

Hello, I’m using Auth0 to allow users to login with Google SSO in a nextjs application. I need to validate the user with the backend of the application. That being said, auth0 is returning an opaque access token even though I have included https://{tenant}.auth0.com/api/v2/ as the AUTH0_AUDIENCE .env variable (which is in turn being included as a query param to the /authenticate endpoint). How can I ensure that the payload of the JWT is not empty?

Here’s the code that I’m using to parse the access token on the backend:

export async function getUser() {
  const sessionCookies = await cookies();
  const token = sessionCookies.get('appSession');
  if (token == null) {
    redirect('/api/auth/login');
  }
  return jwt.decode(token['value'], process.env.AUTH0_CERT);
}

This function returns null because the JWT payload is empty.

Collin

2

Hi there @collin1 welcome to the community!

Do you mind grabbing a sample access token, pasting it in jwt.io and sharing the result here? Please redact any sensitive information.

Thanks!

1 Like
4

Sure thing. Here’s a link.

1 Like
5

Hey thanks @collin1!

That looks to be an opaque token like you mentioned - Are you positive an audience param is getting passed?

1 Like
6

Yes.

https://dev-aoeuaoeuaoeuaoeu.us.auth0.com/authorize?client_id=aoeuaoeuaoeuaoeuaeou&scope=openid%20profile%20email&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback&audience=https%3A%2F%2Fdev-aoeuaoeuaoeuaoeu.us.auth0.com%2Fapi%2Fv2%2F&nonce=aoeuaoeuaoeuaoeuaoeu&state=aoeuaoeuaoeuaeouaoeu&code_challenge=aoeuaoeuaoeuaoeuaeou&code_challenge_method=S256

7

Just following up - any thoughts on what may be causing this issue?

Collin

8

Hi @collin1,

Thank you for your response. I am following up for @tyf.

I have just tested getting an Access Token with Next.js and did not experience any issues.

To investigate this issue further, could you please provide me the exact /authorize URL request you made and send it to me via direct messages?

For the moment, the URL you shared in this reply has obfuscated your tenant name. I would like to make sure that the request and your tenant settings are correct.

Thanks,
Rueben

1 Like
9

Thanks, Rueben. I just sent over a message.

1 Like
10

Hey all - just following up here.

1 Like
11

Hey all - following up again

12

Last time following up. We won’t be able to use Auth0 as an authentication provider if this isn’t resolved.

13

Hi @collin1,

Thank you for your updates. I have responded in our direct messages together with the provided solution. I am going to share the solution with the rest of the Community.

In essence, whenever the audience parameter is omitted in the login request, the token generated will be opaque. To get a JWT access token you must pass an audience parameter in the login request. For more information, I recommend reading our Get Access Tokens documentation.

For clarity, the /authorize request should look something like the following:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope={scope}&
    audience={apiAudience}&
    state={state}

(Reference: Call Your API Using the Authorization Code Flow)

I hope this helps!

Thanks,
Rueben

14

Hey Rueben - I have already confirmed that, please read the above messages and our private thread. I have started implementing frontegg and will move forward with their product if we are unable to resolve this issue before I finish.

Collin

15

Hi @collin1,

Thanks for the reply!

I have just followed up with another response through our direct messages conversation.

16

Were there any updates regarding this? I’m running into the same issue