Auth0 Home Blog Docs

Getting /userinfo from frontend works, but not from backend



I use lock to authenticate on my angular frontend without any problems:

  lock = new Auth0Lock(AUTH_CONFIG.clientID, AUTH_CONFIG.domain, {
    oidcConformant: true,
    autoclose: true,
    socialButtonStyle: 'small',
    rememberLastLogin: true,

    auth: {
      redirectUrl: AUTH_CONFIG.callbackURL,
      responseType: 'token id_token',
      audience: `https://${AUTH_CONFIG.domain}/userinfo`,
      params: {
          prompt: 'select_account',

Getting userinfo works too:

    this.lock.getUserInfo(authResult.accessToken, (err, profile) => {
      localStorage.setItem('profile', JSON.stringify(profile));

However on my nodejs backend I get an Unauthorized 401 message when trying to access /userinfo using the same access token :"/claimAccount", checkJwt, function(req,res){
    var bodyStr = '';
        bodyStr += chunk.toString();
	try {
		const data = JSON.parse(bodyStr);

        var headers = {
            'authorization': req.headers.authorization,
            'content-type': 'application/json'

        var options = {
            url: '',
            headers: headers

        function callback(error, response, body) {
            console.log("statuscode : " +  response.statusCode);
            if (!error && response.statusCode == 200) {
                console.log("ui succ: "+body);
        request(options, callback);

req.user consists of the following:

{ iss: '',
  sub: 'facebook|10154740758691918',
  aud: '2eY_5Pf9DxJx1R1CqvJsYPHbwGfbCLDz',
  exp: 1504739649,
  iat: 1504703649,
  nonce: 'saMorzyuLIE7GkyS3FA9SK-_lOfoONSk',
  at_hash: 'zivjSUNooWq38kemfFfQhw' }

I cannot just send the userinfo to the backend since there should be no way of spoofing it.

Maybe this is related: How come req.aud equals my ClientID on the backend API call, when I have audience: https://${AUTH_CONFIG.domain}/userinfo, in the lock constructor in the frontend?