Issues getting Access Token

Modius · March 20, 2019, 7:46pm

Continuation of a reply to another thread, but limited to 3 replies, it says to edit one of the others, but I can’t do that. (this is SO stupid I can’t even begin to describe it, I could create a new topic, or a new account, but not a new reply)

So, to recap the original issue:
I am modifying the CONFIG ONLY of an application that currently uses ADFS and OAuthService object from Angular to do the oauth2 protocol. This works fine in ADFS.

In Auth0, it would work, but the Access_Token that is requested is returning a short token that is not a JWT, apparently, you have to specify an ‘audience=’ (which the keyword appears to be case sensitive! Audience causes auth0 to crap out.), and that returns a Access Token that is a JWT like I was expecting.

If you have no API’s defined, adding the audience parameter just causes everything to break and it redirects to the URL with # and nothing instead of the token.

Ok, if I create an API, for the locahost:5005, it returns a token with a Dual-Audience (the requested one: localhost:5005 and a bonus one for Auth0…) . Then when it tries to validate this, I get ‘Invalid Audience’ in the validation. This is true no matter if I specify localhost:4205 (UI), or localhost:5005 (API) for the requested Audience. ADFS is SO MUCH easier to setup and it was a Freaking nightmare!

I tried to edit the API to add a trailing / to the ‘http://localhost:5005’ but apparently, once created you can’t edit it!! OMG Seriously? So, I created a 2nd one with that… which didn’t help.

Any idea how I can just drop Auth0 in for an ADFS replacement, or do I just need to drop Auth0?

I tried sending an e-mail to Support, but they apparently don’t want to support potential paying customers, only those that have already paid…

Don’t ask too many questions, as I’m only allowed 2 more replies to this before I have to create another topic or account.

PS: the other issue I’m having is that I used the pre-defined ‘role’ claim, which ADFS correctly returns as just ‘role’, but the best I can get from Auth0 is:

“http://schemas.microsoft.com/ws/2008/06/identity/claims/role”: “admin”

instead of the correct: “role” : “admin”
Like I get with ADFS.

If you specify just ‘role’ then Auth0 decides that it is going to enforce the ‘suggestion’ about namespaces and NOT let you send it through. (This isn’t showing up in the AuthToken, only the the idToken, but that could be because of the rule that I have that adds it… First I have to get this stuff working at all…)

markd · March 21, 2019, 12:26am

Hi @Modius,

I believe the reply limit only applies to replying directly to yourself. You can of course have as many replies as needed in the course of an entire thread (replies to other people).

Instead of replying to yourself, you can always edit an existing post with new info.

Just an opinion but I don’t think any OAuth / OIDC service is a drop-in replacement for another such service. The OAuth specs give the implementor a lot of lee-way in how they implement the service. OpenID Connect is a bit more strict but even then there is room for implementation specific solutions.

The OAuth spec does not specify the format of an access token. Access token format is one of those things left to the implementor. Opaque access tokens are very common, probably most common, though Auth0 also supports / uses JWTs.

Modius · March 21, 2019, 6:55pm

Shortly after posting the other thread, it upgraded me to being able to reply more. It wasn’t letting me edit the replies either.

I got Auth0 working, per the other thread, but had to hack the use of OAuthService provided by Angular to make it work. (details in the other thread).

And yes, my problem with Auth0 is that the OAuth Spec doesn’t specify the format of the claims in the Access Token (‘role’ : ‘Admin’ is permitted, but Auth0 blocks it, making it be ‘http://something.x/role’ - which maps back to the JavaScript object so if the object was named token, it would be ‘token.http://something.x/role’ . Which doesn’t pass syntax, so you have to use: token[‘http://something.x/role’] in order to access the value. This should be removed as a ‘feature’ of Auth0 - or at least, changed so we have a flag to turn it off. There are a LOT of claims that other systems return without the fully qualified names (Microsoft’s ADFS claims are all stripped, as I’m sure are others.) . This just ends up limiting Auth0’s usefulness, and clearly, others

I figured out how to work around everything else, so I have hacked the code to allow Auth0 to work.

Your last comment is valid, but ‘Auth0 also supports/uses JWTs’ - but limits what you can put in them - which is what I have an issue with.

Thank you for your time,

-C

konrad.sopala · August 30, 2019, 12:22pm

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

Topic		Replies	Views
Passing 1 audience to get access_token request, but returned access_token has 2 audience Help jwt	6	2760	April 12, 2022
Why I wont use Auth0 Help login , documentation , feedback	2	5384	September 15, 2020
401 - Bad Audience Help management-api , users	3	1843	July 5, 2023
Authentication API and Enterprise ADFS Help	2	4646	September 29, 2020
Invalid access_token JWT.io jwt , auth0	3	5372	March 28, 2020

Issues getting Access Token

Related topics