I am implementing authorization in a standard web application (Regular Web Application in auth0 dashboard) (golang) using authorization code flow using this Auth0 Go SDK Quickstarts: Add Login to your Go web application).
But Exchange method return not valid JWT(checked by jwt.io). I have read here Requesting accessToken not returning a valid JWT that it is opaque access token and i should to provide audience.
But only API (not application) has audience in auth0 dashboard. When I create API, then in the application tab a new application immediately appears but with the type Machine To Mashine (not Regular Web Application)
But how can i do it using golang SDK in Regular Web Application?
Hi @bryce.wayne.person,
When you register an API in the Auth0 Dashboard, a Machine-to-Machine application is automatically created for you under the Applications tab. This is expected. You will need to use the API Identifier value as the audience parameter in your application. Can you give that a try?
Related documentation:
Best,
Mary Beth
Hi, thank you for your answer
if i follow instructions Auth0 Go SDK Quickstarts: Add Login to your Go web application with using Machine to Machine client (that was created automatically when I created the API) then i get an error “Grant type ‘authorization_code’ not allowed for the client.” when i try to login.
Can I somehow get a valid JWT using regular web application type application in auth0?
If not, how can I validate the received (opaque) access token? I found only such instructions on how to do this - Auth0 Go API SDK Quickstarts: Authorization, and here the audience is a required parameter + it responds with an error to opaque token
My task looks like this:
- receive of an access token ( standard web application (Regular Web Application in auth0 dashboard) (golang) using authorization code)
- Be able to validate this access token.
- And be able to update it, having received a new pair of keys access token + refresh token when access token is expired
Now i have problems with point 2
Hi!
Help me please, I am implementing this scenario:
- The user registered through the login page (passed the authorization code flow). The resulting opaque access token backend save in a cookie. And also i save refresh token for this access token in database.
Next, all API requests from the frontend are sent with the received opaque access token in cookie.
- For each API request from the frontend like this, backend do this: validate the access token(signature) from the cookie → see if it is expired → if it is expired, then refresh it using refresh token. And set new access token in cookie. P.S. Refresh token rotation is on of course.