Hello i`m new in auth0 need your help.
I manage to connect auth0 to google through authorization code flow
https://auth0.com/docs/flows/add-login-auth-code-flow
and i try to get the token from the code given from the response, so i hit end point /oauth/token and return
{
“access_token”: “KCIlvdlLBQd2TWPM…JItr2WL1Wfc4”,
“id_token”: “eyJhbGciOiJSUzI1NiIsIn…CgK0YvSQ”,
“scope”: “openid profile”,
“expires_in”: 86400,
“token_type”: “Bearer”
}
then i want to validate the access token using this tutorial https://auth0.com/docs/quickstart/backend/nodejs/01-authorization
and it return result like this
{
“status”: “error”,
“statusCode”: 500,
“message”: “jwt malformed”,
“stack”: “UnauthorizedError: jwt malformed\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/lib/index.js:105:22\n at Object.module.exports [as verify] (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/jsonwebtoken/verify.js:63:12)\n at verifyToken (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/lib/index.js:103:13)\n at fn (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:746:34)\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:1213:16\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:166:37\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:706:43\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:167:37\n at Immediate. (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:1206:34)\n at processImmediate (internal/timers.js:439:21)\n at process.topLevelDomainCallback (domain.js:126:23)”
}
my default login using username and password work fine with the validation.
Is there some step i miss ?
Hi @dunianina15
You are probably not specifying an audience. If you don’t specify an audience, the access token will be opaque, not a JWT. Thus you are getting the malformed JWT error.
John
1 Like
Let us know if that was the issue!
still no luck i add the audience in the header and still return the opaque access token
curl --location --request POST 'https://xxxx/oauth/token' \
–header ‘Content-Type: application/x-www-form-urlencoded’
–header ‘Cookie: __cfduid=db83cae56615b9f38a4c10ef54591be1b1606024946; did=s%3Av0%3A4ecb41d0-2c88-11eb-adb3-49c473203ca3.sRjAcvboPJoeDRcmqny8b0LIjoAcGnQTcTd5kSL3EYc; did_compat=s%3Av0%3A4ecb41d0-2c88-11eb-adb3-49c473203ca3.sRjAcvboPJoeDRcmqny8b0LIjoAcGnQTcTd5kSL3EYc’
–data-urlencode ‘grant_type=authorization_code’
–data-urlencode ‘client_id=6qSQaPHbIALYSHl…wzmXvHO7GhYQW’
–data-urlencode ‘client_secret=gyjQE2E8fH…IgNV7Bm’
–data-urlencode ‘code=pzCEttG…9b3ec’
–data-urlencode ‘redirect_uri=https://localhost:3006/login’
–data-urlencode ‘audience=https://…/api/v2/’
{
“access_token”: “N8CB5tsugZRP…ipX4q4mP”,
“id_token”: “eyJhbGciOiJSUzI1NiI…8KEuIf8v8AvzIpx8O7-IZy9qijbFKluM1DkuMGuryDPrqgBReqeH0BzYnCUz2vHtK4ey0Y6ER1_B7qOXxgq-R3F8LYQR3RMZeJBZcr4Cd7W5BCKnI-_SVr7CrTw7mSQl8AikOluOvOdkAaO4jPZTkAEcDuLOXDAmZRfMADa29Sul0TR39JdJaImODq3wCX7nAJIrMLS8rngAy-TtTulMCxZNbf5CxE3Lo_U9lEX2hyt1A”,
“scope”: “openid profile”,
“expires_in”: 86400,
“token_type”: “Bearer”
}
should i add the scope in the header too ?
You need the audience in the initial /authorize call, not the oauth/token call.
John
1 Like
Ahhhh i see,
thank you, it is working now
1 Like
Perfect! Glad to hear that!
Hey team!
If you’re curious about the new Auth0 Next.js SDK and how it works with Next.js 15 and Turbopack, now’s a great time to get involved!
We’re hosting an Ask Me Anything session with Kevin Lillybridge, Auth0’s Group Product Manager, on December 10, from 9 AM to 11 AM PST. You’ll receive detailed, written answers straight from the experts - plus earn a special badge. Don’t miss this opportunity to gain valuable insights and supercharge your Next.js development!
Auth0 by Okta Community Ask Me Anything: Unlocking the Power of the Auth0 and Next.js