Hello,
I have a React JS app which implements auth0-react. User-authentication is working properly, however I am encountering a challenge while making a request to my protected Flask API (also using auth0).
My Auth0Provider looks like this:
<Auth0Provider
clientId={ process.env.REACT_APP_AUTH0_CLIENT_ID }
domain={ process.env.REACT_APP_AUTH0_DOMAIN }
audience={ process.env.REACT_APP_AUTH0_AUDIENCE }
redirectUri={ window.location.origin }
>
The problem I am facing comes from the access token generated with getAccessTokenSilently method in the React app:
const accessToken = await getAccessTokenSilently({
audience: process.env.AUTH0_AUDIENCE,
});
const apiResponse = await fetch(url, {
headers: {
Authorization: `Bearer ${accessToken}`,
}
});
The Flask API errors out with KeyError: 'kid' because the unverified_header appears to not have been signed correctly. The value of unverified_header is:
# from getAccessTokenSilently
{
'alg': 'dir',
'enc': 'A256GCM',
'iss': 'https://<MY-TENANT>.us.auth0.com/'
# no 'kid' key
}
When I manually use the access token given by the cURL method under APIs/my-api/Test/Asking Auth0 for tokens from my application, it works fine and the unverified_header looks like this:
# from cURL API Test method in Auth0 API Dashboard
{
'alg': 'RS256',
'kid': 'WPQo-m7vuHeK5DZizbQqa', # <-- has 'kid' key (works as expected)
'typ': 'JWT'
}
Maybe Iām missing something simple?
Some more info:
- Audience (in both React app and Flask API):
- value from the
Identifiersection in below image (my API in Auth0 Dashboard)
- value from the
- Domain (in both React app and Flask API):
https://<TENANT_NAME>.us.auth0.com
- API Signing Algorithm (in Auth0 Dashboard)
RS256
- API Signing Algorithms (in Flask API):
['RS256']