Hello i`m new in auth0 need your help.
I manage to connect auth0 to google through authorization code flow
https://auth0.com/docs/flows/add-login-auth-code-flow
and i try to get the token from the code given from the response, so i hit end point /oauth/token and return
{
“access_token”: “KCIlvdlLBQd2TWPM…JItr2WL1Wfc4”,
“id_token”: “eyJhbGciOiJSUzI1NiIsIn…CgK0YvSQ”,
“scope”: “openid profile”,
“expires_in”: 86400,
“token_type”: “Bearer”
}
then i want to validate the access token using this tutorial https://auth0.com/docs/quickstart/backend/nodejs/01-authorization
and it return result like this
{
“status”: “error”,
“statusCode”: 500,
“message”: “jwt malformed”,
“stack”: “UnauthorizedError: jwt malformed\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/lib/index.js:105:22\n at Object.module.exports [as verify] (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/jsonwebtoken/verify.js:63:12)\n at verifyToken (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/lib/index.js:103:13)\n at fn (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:746:34)\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:1213:16\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:166:37\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:706:43\n at /Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:167:37\n at Immediate. (/Users/zlip2x/Desktop/TRAXSHOT/traxshot.web/node_modules/express-jwt/node_modules/async/lib/async.js:1206:34)\n at processImmediate (internal/timers.js:439:21)\n at process.topLevelDomainCallback (domain.js:126:23)”
}
my default login using username and password work fine with the validation.
Is there some step i miss ?
Hi @dunianina15
You are probably not specifying an audience. If you don’t specify an audience, the access token will be opaque, not a JWT. Thus you are getting the malformed JWT error.
John
Let us know if that was the issue!
still no luck i add the audience in the header and still return the opaque access token
curl --location --request POST 'https://xxxx/oauth/token' \
–header ‘Content-Type: application/x-www-form-urlencoded’
–header ‘Cookie: __cfduid=db83cae56615b9f38a4c10ef54591be1b1606024946; did=s%3Av0%3A4ecb41d0-2c88-11eb-adb3-49c473203ca3.sRjAcvboPJoeDRcmqny8b0LIjoAcGnQTcTd5kSL3EYc; did_compat=s%3Av0%3A4ecb41d0-2c88-11eb-adb3-49c473203ca3.sRjAcvboPJoeDRcmqny8b0LIjoAcGnQTcTd5kSL3EYc’
–data-urlencode ‘grant_type=authorization_code’
–data-urlencode ‘client_id=6qSQaPHbIALYSHl…wzmXvHO7GhYQW’
–data-urlencode ‘client_secret=gyjQE2E8fH…IgNV7Bm’
–data-urlencode ‘code=pzCEttG…9b3ec’
–data-urlencode ‘redirect_uri=https://localhost:3006/login’
–data-urlencode ‘audience=https://…/api/v2/’
{
“access_token”: “N8CB5tsugZRP…ipX4q4mP”,
“id_token”: “eyJhbGciOiJSUzI1NiI…8KEuIf8v8AvzIpx8O7-IZy9qijbFKluM1DkuMGuryDPrqgBReqeH0BzYnCUz2vHtK4ey0Y6ER1_B7qOXxgq-R3F8LYQR3RMZeJBZcr4Cd7W5BCKnI-_SVr7CrTw7mSQl8AikOluOvOdkAaO4jPZTkAEcDuLOXDAmZRfMADa29Sul0TR39JdJaImODq3wCX7nAJIrMLS8rngAy-TtTulMCxZNbf5CxE3Lo_U9lEX2hyt1A”,
“scope”: “openid profile”,
“expires_in”: 86400,
“token_type”: “Bearer”
}
should i add the scope in the header too ?
You need the audience in the initial /authorize call, not the oauth/token call.
John
Ahhhh i see,
thank you, it is working now
Perfect! Glad to hear that!
Hey team!
If you’re curious about the new Auth0 Next.js SDK and how it works with Next.js 15 and Turbopack, now’s a great time to get involved!
We’re hosting an Ask Me Anything session with Kevin Lillybridge, Auth0’s Group Product Manager, on December 10, from 9 AM to 11 AM PST. You’ll receive detailed, written answers straight from the experts - plus earn a special badge. Don’t miss this opportunity to gain valuable insights and supercharge your Next.js development!
Auth0 by Okta Community Ask Me Anything: Unlocking the Power of the Auth0 and Next.js