Error calling my external API

Help
,
1

I want to use the token that I get from the getAccessToken function in my Nextjs API endpoint to call my external API that I already created in the Auth0 dashboard but I’m getting this error:

# This is my NextJS API endpoint /api/books
export default withApiAuthRequired(async function getBooks(req:any, res:any) {
  const { accessToken } = await getAccessToken(req, res); # <---- I see this is not a JWT token but opaque token
  const response = await booksApi('/books?title=Calcu', { headers: { "Authorization": `Bearer ${accessToken}` } })
  res.status(200).json({ accessToken, response })
})

I created the books-service in the API section on the Auth0 Dashboard and added ‘read:books’ to the permissions list(scopes) but I don’t know where I should specify that permission in the code.

3

Hi @solvy-dev,

Welcome to the Auth0 Community!

It sounds like you are missing the audience parameter. See this FAQ:

4

Ok I could get the JWT access token sending the audience and I checked the token on the jwt.io website and I can see the payload

export default handleAuth({
  login: async (req, res) => {
    await handleLogin(req, res, {
      returnTo: "/dashboard",
      authorizationParams: {
        audience: 'MY_EXTERNAL_API_IDENTIFIER',
      }
    });
  }
});

But when I send that token to my external API I get the next response with statusCode

{
    "message": null
}

What type of configuration should I implement in my external API? Do I have to verify something else beside the JWT signature or set some fields?

5

From there it is up to you what you want to do with your API. I can point you towards an example if you tell me about your external API (what language, framework, etc).

6

That’d be awesome. To provide some context I’m using Serverless Framework but any NodeJS example I think is helpful. This is the code from my AWS Lambda authorizer which is an endpoint that is hit every time I send a request to other endpoints like /api/v1/products in order to get permission to work as expected.

    const token = event.authorizationToken.replace('Bearer ', '');
    const claims = jwt.verify(token, EnvironmentConfig.auth0PublickKey) as JwtPayload; 
    const principalId = claims.sub as string
    const policy = generatePolicy(principalId, event.methodArn);
    return {
      ...policy,
      context: claims 
    };

When I verify the token I use the PEM certificate downloaded from my regular web app on the Auth0 dashboard. That’s all the code that I’m using on my backend to handle the token. Am I missing something?

7

Have you seen this blog? It sounds like it runs over most of your setup:

8

Ok I found the solution, the problem is in the Context returned by the authorizer AWS Lambda function. The type of that context is:

export interface APIGatewayAuthorizerResultContext {
    [name: string]: string | number | boolean | null | undefined;
}

And the JWT access token payload returned by Auth0 has the property aud which contains an array and that breaks something in AWS and that’s why the response is { "message": null } with status code 500.

Thanks @dan.woda for your help! Now my external API is working as expected :smiley:

1 Like
9

Thanks for sharing! :slight_smile:

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.