Getting Bad Audience while calling Custom API for Auth0 User Management

assadullahch · June 29, 2021, 10:21pm

I saw so many questions on this topic in the community but unfortunately no luck so far.

I’m using Auth0 universal flow for user authentication which works perfectly fine. The problem comes when I try to call Auth0 Management API through our node.js backend.

I created a new API in Auth0 and added this identifier https://example-api

I also added some permissions to this API so we can then use them for with different types of user roles.

This is how I’m obtaining the access_token through Management API call:

const response = await axios({
    method: 'POST',
    url: `https://{tentant}.auth0.com/oauth/token`,
    headers:{ 'Content-Type': 'application/json'},
    data:{
      client_id: <client_id obtained from newly created API>,
      client_secret: <client_secret obtained from newly created API>,
      audience: <audience obtained from newly created API https://example-api>,
      grant_type: "client_credentials"
    }
    
 })

This call successfully returns the access_token.

Whenever I try to get a user matched with matching criteria like this:

 const user = await axios({
    method: 'GET',
    url: `https://{tentant}.auth0.com/api/v2/users`,
    params: {
      q: query, 
      search_engine: 'v3'
    },
    headers: {authorization: `Bearer ${response.data.access_token}`}
 })

It throws the following exception.

{
  statusCode: 401,
  error: 'Unauthorized',
  message: 'Bad audience: https://example-api'
}

I also tried to put trailing slash for audience but no luck.

Whenever I use the audience form Auth0 Management API (the one which automatically gets created with Auth0 account with the label System API) It works and I can get the user but then I cannot set custom permissions on it.

Any help on this would be appreciated.

Thank you.

dan.woda · June 29, 2021, 10:43pm

Hi @assadullahch,

Welcome to the Community!

The audience param needs to match the API you are calling.

In your example, you are making a call to the management API, which is expecting the token to contain the management API as the audience (https://{tentant}.auth0.com/api/v2/).

assadullahch · June 29, 2021, 10:56pm

Thanks for a quick response @dan.woda .

Does it mean I need to call the API like this: https://example-api/api/v2/users

dan.woda · June 29, 2021, 11:00pm

No, when you request the token you need to have your management API as the audience.

For example:

const response = await axios({
    method: 'POST',
    url: `https://{tentant}.auth0.com/oauth/token`,
    headers:{ 'Content-Type': 'application/json'},
    data:{
      client_id: <client_id obtained from newly created API>,
      client_secret: <client_secret obtained from newly created API>,
      audience: `https://{tentant}.auth0.com/api/v2/`,
      grant_type: "client_credentials"
    }
    
 })

The audience param defines what resource is consuming the token. Your custom API (example-API) has nothing to do with this transaction.

assadullahch · June 30, 2021, 1:36am

@dan.woda I think I understand what you are suggesting me but the problem is still there.

I cannot add custom permissions to the API which has the audience https://{tentant}.auth0.com/api/v2/. It got created automatically when I created the Tenant and it is labeled as System API So, I ended up creating a custom API (with the audience https://example-api/) which allows me to add custom permissions. But then I cannot use the audience I added in my custom API to call the Users API.

Basically, we want to add custom roles and permissions to our Auth0 users and then we want to pull their information through our backend using Auth0 Management API.

I also followed this article but our requirement is a little different. We want to pull the user info through Auth0 management API.

Please let me know If I’m missing out something.

Thank you.

assadullahch · June 30, 2021, 7:12am

@dan.woda I managed to make it work but I am not sure whether it’s a good solution or not.

Here’s how I did it.

I used the audience from the API which automatically gets created with Auth0 account labeled as System API.

Now my Auth0 domain and audience look like this:

Auth0 Domain: https://{tentant}.auth0.com .
Audience: https://{tentant}.auth0.com/api/v2/ .

Furthermore, I also created a new API and added some custom permissions on it because the API I specified above does not allow to add custom permissions.

I created the admin role and and assigned the custom created API permissions to it.

To handle other roles, I will be needing to add more custom APIs with this approach.

With this approach, I’m now able to make API call to Management API to get the roles attached to a certain user by providing the user id in the API endpoint and I’m doing the same for getting the user permissions.

Is it okay to do it this way or there is a better way to handle this requirement?

Waiting for your response.

dan.woda · June 30, 2021, 3:47pm

You shouldn’t add custom permissions to the management API. If you are making a request to the management API, you need to have the management API as the audience in the token.

When you request a token for your custom API, it will have the permissions that the user is given by their role if you have these settings turned on:

Furthermore, it doesn’t sound like you should be using the management API at all in this scenario. Using the management API to retrieve user details for every user transaction is not scalable, and you will quickly run into management API rate limits.

Can you tell us about your applications? Do you just have the single node.js backend API? If so, you should only have one custom API in auth0. Do you have a single-page app that you are calling your API from?

system · August 23, 2021, 4:19pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.