Invalid access token returned by Nuxt auth0/auth0-nuxt useAuth0 composable

Hello,

I am trying to get an access token in my Nuxt app using the auth0-nuxt SDK. I understand that it is still in beta version.

I implemented login and logout successfully, and now am trying to get an access token to include it in my API requests. The docs on Github mention that I only need to setup in my nuxt.config.ts the environment variables:

If you need to call an API on behalf of the user, you want to specify the audience parameter when registering the runtime configuration for the auth0 module. This will make the SDK request an access token for the specified audience when the user logs in.

runtimeConfig: {
  auth0: {
    domain: '<AUTH0_DOMAIN>', // is overridden by NUXT_AUTH0_DOMAIN environment variable
    clientId: '<AUTH0_CLIENT_ID>', // is overridden by NUXT_AUTH0_CLIENT_ID environment variable
    clientSecret: '<AUTH0_CLIENT_SECRET>', // is overridden by NUXT_AUTH0_CLIENT_SECRET environment variable
    sessionSecret: '<SESSION_SECRET>', // is overridden by NUXT_AUTH0_SESSION_SECRET environment variable
    appBaseUrl: '<APP_BASE_URL>', // is overridden by NUXT_AUTH0_APP_BASE_URL environment variable
    audience: '<AUTH0_AUDIENCE>', // is overridden by NUXT_AUTH0_AUDIENCE environment variable
  },
}

Retrieving the token can be achieved by using getAccessToken using the server-side composable useAuth0:

const auth0Client = useAuth0(event);
const accessTokenResult = await auth0Client.getAccessToken();
// You can now use `accessTokenResult.accessToken`

Which I did. For testing purposes only, I return my access token and the audience to the client side (since the composable is a server-side composable) for verification. The audience looks correct, it matches the one I have configured, which makes me assume it is getting sent in the request to get a token.

The token is retrieved successfully after the user logs in, as well as the audience (which is my API’s identifier). However, the returned token is not a valid JWT token. It seems like it’s returning a JWE token. I checked my API settings, and JWE is turned off.

Any idea on what I could be missing here?

Thanks!

Hello @ImadMAKS,

Welcome to the Auth0 Community!

Usually this type of situation is encountered when the audience parameter was not included when requesting an access token, but from what I have checked above you should have set it properly. What I would recommend is to ensure that your API’s Token Signing Algorithm is set to RS256, which dictates receiving a JWT token, but also try to include the scopes in your request, that would match you designated permissions of your custom-API, such as:

auth0: {
    
      audience: '<AUTH0_AUDIENCE>', 
      
      the scopes you need (Standard OIDC + Custom API Scopes)
      scope: 'openid profile email +custom_scopes',
      
      // ... rest of your configuration
    },

You could also try using the management API as the audience ( https://YOUR_DOMAIN/api/v2/ ) instead of your current custom API just to check if the returned access token is a JWT.

I would also recommend to check How to Stop Getting JWEs when JWT is Required since it provides useful documentation links, or Opaque Versus JWT Access Token.

Please let me know how this goes, and if this fixes the issue!
Thank you and kind regards,
Remus

Hello @remus.ivan ,

What you mentioned above all was setup correctly already.

I ended up finding the solution. I had set up users to sign in as part of an organization only.

In “Login Experience” I had chosen “Business users”, then “Prompt for Organization”, then “Prompt for organization email”. I assumed that auth0 will automatically know which organization the user is trying to sign in to, or will prompt the user with the list of organization they are part of and the user would choose. The reason I thought this is because the flow preview shows a list of organizations on step 2, which is misleading.

I ended up using “No Prompt” and sending organization id in my request, which made it work, and only then I got a JWT token.

Thanks for your input!

I hope this helps anyone else in the same situation.

Cheers!

Hi @ImadMAKS,

Thank you for sharing your findings with the rest of the Community, since indeed it might help other as well!

Best regards,
Remus

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.