How to validate token from login from authorization flow

Hello i`m new in auth0 need your help.

I manage to connect auth0 to google through authorization code flow
https://auth0.com/docs/flows/add-login-auth-code-flow

and i try to get the token from the code given from the response, so i hit end point /oauth/token and return
{
“access_token”: “KCIlvdlLBQd2TWPM…JItr2WL1Wfc4”,
“id_token”: “eyJhbGciOiJSUzI1NiIsIn…CgK0YvSQ”,
“scope”: “openid profile”,
“expires_in”: 86400,
“token_type”: “Bearer”
}

then i want to validate the access token using this tutorial https://auth0.com/docs/quickstart/backend/nodejs/01-authorization

and it return result like this

{
“status”: “error”,
“statusCode”: 500,
“message”: “jwt malformed”,
“stack”: “UnauthorizedError: jwt malformed\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/lib/index.js:105:22\n at Object.module.exports [as verify] (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/jsonwebtoken/verify.js:63:12)\n at verifyToken (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/lib/index.js:103:13)\n at fn (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:746:34)\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:1213:16\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:166:37\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:706:43\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:167:37\n at Immediate. (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:1206:34)\n at processImmediate (internal/timers.js:439:21)\n at process.topLevelDomainCallback (domain.js:126:23)”
}

my default login using username and password work fine with the validation.

Is there some step i miss ?

Hi @dunianina15

You are probably not specifying an audience. If you don’t specify an audience, the access token will be opaque, not a JWT. Thus you are getting the malformed JWT error.

John

Let us know if that was the issue!

still no luck i add the audience in the header and still return the opaque access token

curl --location --request POST 'https://xxxx/oauth/token' \

–header ‘Content-Type: application/x-www-form-urlencoded’
–header ‘Cookie: __cfduid=db83cae56615b9f38a4c10ef54591be1b1606024946; did=s%3Av0%3A4ecb41d0-2c88-11eb-adb3-49c473203ca3.sRjAcvboPJoeDRcmqny8b0LIjoAcGnQTcTd5kSL3EYc; did_compat=s%3Av0%3A4ecb41d0-2c88-11eb-adb3-49c473203ca3.sRjAcvboPJoeDRcmqny8b0LIjoAcGnQTcTd5kSL3EYc’
–data-urlencode ‘grant_type=authorization_code’
–data-urlencode ‘client_id=6qSQaPHbIALYSHl…wzmXvHO7GhYQW’
–data-urlencode ‘client_secret=gyjQE2E8fH…IgNV7Bm’
–data-urlencode ‘code=pzCEttG…9b3ec’
–data-urlencode ‘redirect_uri=https://localhost:3006/login’
–data-urlencode ‘audience=https://…/api/v2/’

{
“access_token”: “N8CB5tsugZRP…ipX4q4mP”,
“id_token”: “eyJhbGciOiJSUzI1NiI…8KEuIf8v8AvzIpx8O7-IZy9qijbFKluM1DkuMGuryDPrqgBReqeH0BzYnCUz2vHtK4ey0Y6ER1_B7qOXxgq-R3F8LYQR3RMZeJBZcr4Cd7W5BCKnI-_SVr7CrTw7mSQl8AikOluOvOdkAaO4jPZTkAEcDuLOXDAmZRfMADa29Sul0TR39JdJaImODq3wCX7nAJIrMLS8rngAy-TtTulMCxZNbf5CxE3Lo_U9lEX2hyt1A”,
“scope”: “openid profile”,
“expires_in”: 86400,
“token_type”: “Bearer”
}

should i add the scope in the header too ?

You need the audience in the initial /authorize call, not the oauth/token call.

John

Ahhhh i see,

thank you, it is working now

Perfect! Glad to hear that!