JWKS Endpoint requests issue

I’m new to Auth0 - and getting this error in the console. The auth0 log indicates I am logged in - but my graphQL response is indicating “Unexpected token < in JSON at position 0” which makes me think I am receiving back HTML instead of JSON. In the console, I’m seeing the following:

JwksRateLimitError: Too many requests to the JWKS endpoint

Is there something else going on here that I’m not seeing? The server crashes due to the number of requests, and I’m not getting the user information back in JSON. I am logged in though, so that’s a good success.

Hello, @lastneurino,

The JWKS endpoint is located at auth0.doma.in/.well-known/jwks.json, and contains a list of JSON Web Keys that you can use to verify the signature of the token. It is, however, rate limited.

Are you caching the responses from this endpoint? If not, I would recommend you do to avoid hitting this issue.

Ok - I’m just getting started here and using Apollo. I’m really at the ‘hello world’ stage, trying to duplicate what I used to do in Ruby on Rails with a home brewed authentication and authorization system.

In Apollo, I’m storing the user with the following:

const server = new ApolloServer({
    subscriptions: false,
    context: ({ req }) => {
        const user = req.user || null;
        return { user };

I have cache set in the check of the token access:

   const jwtCheck = jwt({
        secret: jwksClient.expressJwtSecret({
            cache: true,
            rateLimit: true,
            jwksRequestsPerMinute: 5,
            jwksUri: `${process.env.AUTH0_ISSUER}.well-known/jwks.json`

            audience: process.env.AUTH0_AUDIENCE,
            issuer: process.env.AUTH0_ISSUER,
            algorithms: ['RS256'],
            credentialsRequired: false

where the env variables are:

AUTO0_ISSUER=https://<my tenant>.us.auth0.com/

Is the jwksUri incorrect? It doesn’t match yours, but I’m just following a hello world type example and just trying to get the user. The login is definitely happening.

Hello, @lastneutrino,

Did you copy this directly from your code? If so, there might be a typo here - should be AUTH0 instead of AUTO0.

You’re a god. At least my concept was good - dyslexia was the mountain.

Sort of an odd response to a completely incorrect variable, isn’t it? Technically the issuer, not being defined, shouldn’t have tried to connect?

I get the user object now, and was able to verify the incorrect access token returned a null user. Thanks again.

Hey there @joseantonio.rey!

Would you be able to followup on that? Thanks!

I think it’s a client issue, but as a suggestion, if auth0 used Mandi Wise’s setup as a ‘hello world’ to auth0, it would go a lot smoother. In terms of the other issue, forgetting about the local us domain in the uri, a request to that uri should return an error, that’s an auth0 issue.

Sorry - I’ve been off last week.

This is indeed a client error, as @lastneutrino mentioned.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.