Error calling my external API

solvy-dev · December 14, 2022, 4:02am

I want to use the token that I get from the getAccessToken function in my Nextjs API endpoint to call my external API that I already created in the Auth0 dashboard but I’m getting this error:

# This is my NextJS API endpoint /api/books
export default withApiAuthRequired(async function getBooks(req:any, res:any) {
  const { accessToken } = await getAccessToken(req, res); # <---- I see this is not a JWT token but opaque token
  const response = await booksApi('/books?title=Calcu', { headers: { "Authorization": `Bearer ${accessToken}` } })
  res.status(200).json({ accessToken, response })
})

I created the books-service in the API section on the Auth0 Dashboard and added ‘read:books’ to the permissions list(scopes) but I don’t know where I should specify that permission in the code.

dan.woda · December 14, 2022, 3:56pm

Hi @solvy-dev,

Welcome to the Auth0 Community!

It sounds like you are missing the audience parameter. See this FAQ:

solvy-dev · December 15, 2022, 11:44pm

Ok I could get the JWT access token sending the audience and I checked the token on the jwt.io website and I can see the payload

export default handleAuth({
  login: async (req, res) => {
    await handleLogin(req, res, {
      returnTo: "/dashboard",
      authorizationParams: {
        audience: 'MY_EXTERNAL_API_IDENTIFIER',
      }
    });
  }
});

But when I send that token to my external API I get the next response with statusCode

{
    "message": null
}

What type of configuration should I implement in my external API? Do I have to verify something else beside the JWT signature or set some fields?

dan.woda · December 16, 2022, 3:34pm

From there it is up to you what you want to do with your API. I can point you towards an example if you tell me about your external API (what language, framework, etc).

solvy-dev · December 16, 2022, 3:48pm

That’d be awesome. To provide some context I’m using Serverless Framework but any NodeJS example I think is helpful. This is the code from my AWS Lambda authorizer which is an endpoint that is hit every time I send a request to other endpoints like /api/v1/products in order to get permission to work as expected.

    const token = event.authorizationToken.replace('Bearer ', '');
    const claims = jwt.verify(token, EnvironmentConfig.auth0PublickKey) as JwtPayload; 
    const principalId = claims.sub as string
    const policy = generatePolicy(principalId, event.methodArn);
    return {
      ...policy,
      context: claims 
    };

When I verify the token I use the PEM certificate downloaded from my regular web app on the Auth0 dashboard. That’s all the code that I’m using on my backend to handle the token. Am I missing something?

dan.woda · December 16, 2022, 4:24pm

Have you seen this blog? It sounds like it runs over most of your setup:

solvy-dev · December 16, 2022, 9:46pm

Ok I found the solution, the problem is in the Context returned by the authorizer AWS Lambda function. The type of that context is:

export interface APIGatewayAuthorizerResultContext {
    [name: string]: string | number | boolean | null | undefined;
}

And the JWT access token payload returned by Auth0 has the property aud which contains an array and that breaks something in AWS and that’s why the response is { "message": null } with status code 500.

Thanks @dan.woda for your help! Now my external API is working as expected

dan.woda · December 16, 2022, 10:12pm

Thanks for sharing!

system · December 30, 2022, 10:12pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.