Full Stack Architecture + Auth0

oscar.gch · February 10, 2023, 10:52am

Hi,

I followed the React Authentication By Example: Using React Router 6 guide here(React Authentication By Example: Using React Router 6)

Everything is working perfect until the point in which… I try to use a NodeJS Express server."

Since the guide only works for Single Page Web Applications… I’m wondering if that is the problem.

When I go to the Settings on a Regular Web Application, on the Quick Start guide, it gives me the Integrate Auth0 option by installing express. Then it gives me this example code:

const { auth } = require(‘express-openid-connect’);

const config = {
authRequired: false,
auth0Logout: true,
secret: ‘a long, randomly-generated string stored in env’,
baseURL: ‘http://localhost:4040’,
clientID: ‘clientID’,
issuerBaseURL: ‘https://RANDOM.URL’
};

// auth router attaches /login, /logout, and /callback routes to the baseURL
app.use(auth(config));

// req.isAuthenticated is provided from the auth router
app.get(‘/’, (req, res) => {
res.send(req.oidc.isAuthenticated() ? ‘Logged in’ : ‘Logged out’);
});

This does not happen on the Single Page Web Application. And I’m wondering if this is not allowing me to be able to use ‘express-openid-connect’.

Every time I try to use it… it gives me a 401 (Unauthorized) error when using an axios.get function.

Then on the Network tab, the response I get is “jwt malformed”.

I’ve checked all these settings on my index.js file on the server folder:

const { auth } = require(‘express-openid-connect’);

const verifyJWT = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: ‘https://randomURL.us.auth0.com/.well-known/jwks.json’
}),
audience: ‘https://randomURL’,
issuer: ‘https://randomURL.us.auth0.com’,
algorithms: [‘RS256’]
}).unless({path: [‘/’]})

app.use(verifyJWT);

const config = {
authRequired: false,
auth0Logout: true,
secret: process.env.secret,
baseURL: ‘http://localhost:4040/’,
clientID: ‘clientID’,
issuerBaseURL: ‘https://randomURL.us.auth0.com’
};

app.use(auth(config));

I can’t seem to see the problem.

dan-auth0 · February 10, 2023, 2:33pm

Hello, Oscar!

Thanks for reading this guide!

For the API server integration that you’ll create on the Auth0 Dashboard is a new “API application” as outlined on these steps:

There’s no need to use a Regular Web Application for this purpose as that’s another type of client application.

Which document did you follow to set up the API?

oscar.gch · February 10, 2023, 9:46pm

Well, first of all, thank you for The Guide. I followed the prior one too and got a working Timeline app running( https://timeline-cal.herokuapp.com/ ) that I made as practice for this next project.

Since this new guide came out I decided to update to React 18 and React Router v6. So I appreciate you making the guide for sure.

–

I feel like there’s a bit of confusion regarding a couple of things.

The Application CategorizationS used by Auth0: Native, Single Page Web Application, Regular Web Applications and Machine to Machine Applications. The definitions, to me, as someone who has the intention to make something, are clear; yet for some reason, from my dev mindset, I do wonder what the backend differences are when selecting each different one -or- if there are any.

I do notice that there are differences in the UI/UX and options for each once selecting them. So that makes me wonder if there are any other actual backend differences.

The reason I say this is because when trying to tackle the JWT MALFORMED problem I found a few posts where people mentioned that I was probably getting an obfuscated token, and that certain Applications could do that. That in turn got me thinking that maybe by selecting Single Page Web Application… I was going to be unable to get a jwt token because it was going to give me an obfuscated one.

This is after first trying to follow The Guide but selecting Regular Web Application instead. I tried it this way and it did not work. Something was not allowing me to do it. It was a month ago so I don’t remember what it was. But I had to restart it and actually select Single Page Web Application.

The Express.js Code Sample guide… I have tried to follow but it wants me to create a new project.

Since I am uploading this to Heroku… I need to have a Client Folder and a Server Folder structure.

The Guide contains a JSON API that I can make work no problem.

The problem occurs for me… when I try to now run an Axios.get call to a PostgreSQL server.

I suspect that it wants to authenticate every route request and I just haven’t figured out how to properly configure the axios.get function with the appropiate headers. But in the prior guide I was able to do this without it requiring an authentication on each request.

Since the prior Guide used a prior version of Router… there was actually a /login and /logout route. In the new guide those are gone. That means that /userinfo is also gone.

/profile works but that one is asking the auth0 for the info… that works fine.

when I try to redirect the axios.get request to my PostgreSQL server… it tells me that either the jwt is malformed or I get “Invalid Compact JWS”.

I’ve tried to troubleshoot this with Postman but Postman does not allow to use an Audience so… I’ve been trying from VSCode but no matter the settings on the .env files… it doesn’t seem to be able to go around those two jwt errors.

I’m thinking the

const apiRouter = express.Router();

is no longer relevant in this new Guide. On the server side at least.

The thing is that before…

app.get(‘/profile’, requiresAuth(), (req, res) => {
res.send(JSON.stringify(req.oidc.user));
});

I could use requiresAuth() to authenticate the request… but now… I don’t know if that is the case.

I’ll keep trying to make it work. I just don’t know where the problem is at the moment.

dan-auth0 · February 10, 2023, 9:55pm

Oscar, thank you so much for this detailed response and for highlighting the areas that may be confusing for developers looking to use Auth0 to protect their different application types.

I want to ensure that we provide you with a proper answer so I am sharing your post with my other teammates.

From the high-level, I can share that your deploy model is interesting: You want to deploy both the client and server at the same time to Heroku. Are you creating a monorepo for your full-stack application?

Is your backend application serving your client application?

I believe that the situation we have at hand relates more to system design/application architecture. To provide you with better support, do you mind if we move this question to its own Community topic? Thanks!

oscar.gch · February 10, 2023, 10:11pm

Dan,

I don’t mind moving this question to its own community topic.

Should I create a new topic for it?

I do have only one repository for the full stack application.

In the end I only push the server folder to Heroku since the client build is sent inside that folder in the public folder. So, I would assume that the answer to… is my backend application serving the client application… is yes.

This is what I’m already doing in the timeline app that I sent link to.

Something interesting I noticed just now… is that when I run the Test for the API… I get a different access_token than the one I get on my app when trying to do the axios.get function.

The one from the Test on the manage.auth0.com site looks like a proper jwt key.

The one from my app, when I getAccessTokenSilently() … I get one that has two points and - and _ in it. characters…[TWO POINTS]characters-characters-characters_characters-characters.characters_characters

mraible · February 10, 2023, 11:02pm

I’ve noticed that if you request an access token without an audience, you get an opaque token. It’s still a valid access token, but it’s not a JWT. If you request an access token with an audience, you get an access token that’s a JWT.

oscar.gch · February 11, 2023, 12:07am

That much I know.

The thing is… when I use this query from my App:

//Get Portfolios
async function getUserPortfolios(user_id) {

  if (!user_id) {
    console.log("The User is not logged in")
  }

  try {
    const token = await getAccessTokenSilently();
    console.log(token) // --> At this point the token I get is obfuscated.
    const res = await axios.get(`http://localhost:6060/portfolios?user_id=${user_id}`, {
    headers: {
      authorization: `Bearer ${token}`
    }

  })
  const userPortfolios = res.data; 
  // console.log(res);
  setUserPortfolios(Object.values(userPortfolios));
  } catch (error) {
    console.log(error.message)
  }
}
  
  useEffect(() => {
    getUserPortfolios(user_id);
    }, [isAuthenticated]);

So the real token never reaches the server in order for it to be authenticated.

I get one that has two points and - and _ in it.

Like this: " characters…[TWO POINTS]characters-characters-characters_characters-characters.characters_characters "

oscar.gch · February 12, 2023, 9:01am

I figured it out with the help of a friend.

So… I was using ‘express-openid-connect’ on my server side and even though I was sending the audience through that middleware… it was giving me an opaque token with the wrong JWT format.

I changed it to

const { auth } = require(‘express-oauth2-jwt-bearer’);

and used validateAccessToken. That gave me the right JWT format and got it working.

Thanks though.

These links helped:

github.com/auth0/node-oauth2-jwt-bearer

InvalidTokenError: Invalid Compact JWS

opened 03:32AM - 21 Jul 22 UTC

closed 11:47PM - 21 Jul 22 UTC

patzj

question

### Description > I'm using the `auth` middleware to protect a certain endpoi…nt. The issue is when I use the access token _(as bearer token)_ coming from `getAccessTokenSilently` of [@auth0/auth0-react](https://github.com/auth0/auth0-react). I'm getting `InvalidTokenError: Invalid Compact JWS` in the logs. But when I use the `__raw` claim from `getIdTokenClaims`, it works. I'm confused whether this lib is suppose to verify access token or ID token. ### Reproduction 1. Set up node-express app (server) ```ts const jwtCheck = auth({ issuerBaseURL: "<DOMAIN>", audience: "<CLIENT_ID>", }); app.get("/signIn", jwtCheck, async (req, res) => { if (req.auth) { return res.send("OK"); } return res.status(401).send("Unauthorized"); }); ``` 2. Set up react app (client) ```tsx export default function Home() { const auth0 = useAuth0(); function signIn() { auth0.loginWithRedirect(); } function signOut() { auth0.logout({ returnTo: window.location.origin, }); } useEffect(() => { if (auth0.isAuthenticated) { auth0.getAccessTokenSilently().then((token) => { fetch("/signIn", { method: "GET", headers: { Authorization: `Bearer ${token}`, }, }) .then((res) => res.text()) .then((text) => console.log(text)) .catch((error) => console.error(error)); }); } }, [auth0]); if (!auth0.user) { return <button onClick={signIn}>Sign In</button>; } return ( <div> <span>{auth0.user.name}</span>  <button onClick={signOut}>Sign Out</button> </div> ); } ``` ### Environment > Please provide the following: - **Version of this library used:** 1.1.0 - **Version of the platform or framework used, if applicable:** express@4.18.1 - **Other relevant versions (language, server software, OS, browser):** typescript, firebase cloud function, firebase hosting - **Other modules/plugins/libraries that might be involved:** @auth0/auth0-react@1.10.2

//

If anybody is gonna use axios on a project like this here’s a code chunk that might save you some time:

app.get('/route', validateAccessToken, async function (req, res) {
  console.log("called /route")
  const VARIABLE = req.query.VARIABLE
  try {
    const data = await pool.query(`SELECT * FROM table WHERE VARIABLE = $1;`, [VARIABLE])
      // console.log(data.rows)    
    res.json(data.rows)  
    // res.send(response)
    // res.send('Secured events Resource');
  } catch (error) {
    res.send(error.message)
  }
});

konrad.sopala · February 13, 2023, 8:02am

Wooohoooo thanks for sharing it with the rest of community! Teamwork makes the dreamwork!

dan-auth0 · February 13, 2023, 2:28pm

I am glad to hear, Oscar! This answer will definitely help people in the same situation in the future. Thanks for sharing your solution.

oscar.gch · February 15, 2023, 2:24am

Hey, guys…

So… hahaha sorry to come back to this… but…

Since now I’m using

const { auth } = require('express-oauth2-jwt-bearer');

…

On my server side… Because of this, I can’t use requiresAuth() as middleware to get the auth0 id on the server side in order to be able to send user specific database queries.

With what I was doing before, using:

const { requiresAuth } = require('express-openid-connect');

I just needed to do this to get the auth0 id:

 app.get('/route', requiresAuth(), (req, res) => {
   res.send(JSON.stringify(req.oidc.user));
 });

But now… since don’t have openid-connect on const { auth } = ‘’ , I can’t do this. I can’t ask for the auth0 id on my server side.

Is there a way for me to ask for the auth0 id using ‘express-oauth2-jwt-bearer’ ?

Or is it possible to configure both express-oauth2-jwt-bearer and express-openid-connect at the same time?

oscar.gch · February 15, 2023, 2:32am

Nevermind…

I just found this document and found a way to get the auth0. Thanks.

github.com

auth0/node-oauth2-jwt-bearer/blob/main/packages/express-oauth2-jwt-bearer/README.md

![Authentication middleware for Express.js that validates JWT Bearer Access Tokens](https://cdn.auth0.com/website/sdks/banners/express-oauth2-jwt-bearer-banner.png)

[![npm](https://img.shields.io/npm/v/express-oauth2-jwt-bearer.svg?style=flat)](https://www.npmjs.com/package/express-oauth2-jwt-bearer)
[![codecov](https://img.shields.io/badge/coverage-100%25-green)](./jest.config.js#L6-L13)
![Downloads](https://img.shields.io/npm/dw/express-oauth2-jwt-bearer)
[![License](https://img.shields.io/:license-mit-blue.svg?style=flat)](https://opensource.org/licenses/MIT)
[![CircleCI](https://img.shields.io/circleci/build/github/auth0/node-oauth2-jwt-bearer.svg?branch=master&style=flat)](https://circleci.com/gh/auth0/node-oauth2-jwt-bearer)

📚 [Documentation](#documentation) - 🚀 [Getting Started](#getting-started) - 💻 [API Reference](#api-reference) - 💬 [Feedback](#feedback)

## Documentation

- [Docs Site](https://auth0.com/docs) - explore our Docs site and learn more about Auth0.

## Getting started
### Requirements

This package supports the following tooling versions:

- Node.js: `^12.19.0 || ^14.15.0 || ^16.13.0` || ^18.12.0

This file has been truncated. show original

app.get('/api/messages',
    (req, res, next) => {
      const auth = req.auth;
      auth.header; // The decoded JWT header.
      auth.payload;  // The decoded JWT payload.
      auth.token; // The raw JWT token.
    }
);

You just need to access what’s in the payload to get it:

app.get('/route',
    (req, res, next) => {
      const auth = req.auth;

      auth.payload.sub;  // Gives you the auth0 id on the server
     
    }
);

konrad.sopala · February 15, 2023, 11:46am

No worries! Thanks for sharing it with the rest of community!

system · March 1, 2023, 11:46am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nodejs express auth0 unauthorized 401 Help	0	3007	February 11, 2022
Implementing Auth0 as a NodeJS backend with a React frontend Help	1	5604	March 2, 2022
React UI calling Express API Help apis , application	4	751	October 23, 2023
React Authentication By Example: React Router 6 Developer Hub javascript , authentication , react	38	5773	October 17, 2024
Login on a React SPA via ExpressJS backend (express-openid-connect) Help configuration , application	2	731	April 3, 2024

Full Stack Architecture + Auth0

Related Topics