I use lock to authenticate on my angular frontend without any problems:
lock = new Auth0Lock(AUTH_CONFIG.clientID, AUTH_CONFIG.domain, {
oidcConformant: true,
autoclose: true,
socialButtonStyle: 'small',
rememberLastLogin: true,
auth: {
redirectUrl: AUTH_CONFIG.callbackURL,
responseType: 'token id_token',
audience: `https://${AUTH_CONFIG.domain}/userinfo`,
params: {
prompt: 'select_account',
},
},
});
Getting userinfo works too:
this.lock.getUserInfo(authResult.accessToken, (err, profile) => {
localStorage.setItem('profile', JSON.stringify(profile));
this.router.navigate('/']);
console.log(profile);
});
However on my nodejs backend I get an Unauthorized 401 message when trying to access /userinfo using the same access token :
app.post("/claimAccount", checkJwt, function(req,res){
var bodyStr = '';
req.on("data",function(chunk){
bodyStr += chunk.toString();
});
req.on("end",function(){
try {
const data = JSON.parse(bodyStr);
console.log(req.user);
console.log(req.headers.authorization);
var headers = {
'authorization': req.headers.authorization,
'content-type': 'application/json'
};
var options = {
url: 'https://etherauth.eu.auth0.com/userinfo',
headers: headers
};
function callback(error, response, body) {
console.log("statuscode : " + response.statusCode);
if (!error && response.statusCode == 200) {
console.log("ui succ: "+body);
}
}
request(options, callback);
});
req.user consists of the following:
{ iss: 'https://etherauth.eu.auth0.com/',
sub: 'facebook|10154740758691918',
aud: '2eY_5Pf9DxJx1R1CqvJsYPHbwGfbCLDz',
exp: 1504739649,
iat: 1504703649,
nonce: 'saMorzyuLIE7GkyS3FA9SK-_lOfoONSk',
at_hash: 'zivjSUNooWq38kemfFfQhw' }
I cannot just send the userinfo to the backend since there should be no way of spoofing it.
Maybe this is related: How come req.aud equals my ClientID on the backend API call, when I have audience: https://${AUTH_CONFIG.domain}/userinfo, in the lock constructor in the frontend?