JWKS Endpoint requests issue

lastneutrino · November 24, 2020, 4:31pm

I’m new to Auth0 - and getting this error in the console. The auth0 log indicates I am logged in - but my graphQL response is indicating “Unexpected token < in JSON at position 0” which makes me think I am receiving back HTML instead of JSON. In the console, I’m seeing the following:

JwksRateLimitError: Too many requests to the JWKS endpoint

Is there something else going on here that I’m not seeing? The server crashes due to the number of requests, and I’m not getting the user information back in JSON. I am logged in though, so that’s a good success.

joseantonio.rey · November 25, 2020, 5:29am

Hello, @lastneurino,

The JWKS endpoint is located at auth0.doma.in/.well-known/jwks.json, and contains a list of JSON Web Keys that you can use to verify the signature of the token. It is, however, rate limited.

Are you caching the responses from this endpoint? If not, I would recommend you do to avoid hitting this issue.

lastneutrino · November 25, 2020, 2:52pm

Ok - I’m just getting started here and using Apollo. I’m really at the ‘hello world’ stage, trying to duplicate what I used to do in Ruby on Rails with a home brewed authentication and authorization system.

In Apollo, I’m storing the user with the following:

const server = new ApolloServer({
    gateway,
    subscriptions: false,
    context: ({ req }) => {
        const user = req.user || null;
        return { user };
    }
})

I have cache set in the check of the token access:

   const jwtCheck = jwt({
        secret: jwksClient.expressJwtSecret({
            cache: true,
            rateLimit: true,
            jwksRequestsPerMinute: 5,
            jwksUri: `${process.env.AUTH0_ISSUER}.well-known/jwks.json`

        }),
            audience: process.env.AUTH0_AUDIENCE,
            issuer: process.env.AUTH0_ISSUER,
            algorithms: ['RS256'],
            credentialsRequired: false
    });

where the env variables are:

AUTH0_AUDIENCE=http://localhost:4000/graphql
AUTO0_ISSUER=https://<my tenant>.us.auth0.com/

Is the jwksUri incorrect? It doesn’t match yours, but I’m just following a hello world type example and just trying to get the user. The login is definitely happening.

joseantonio.rey · November 25, 2020, 2:56pm

Hello, @lastneutrino,

Did you copy this directly from your code? If so, there might be a typo here - should be AUTH0 instead of AUTO0.

lastneutrino · November 25, 2020, 3:53pm

You’re a god. At least my concept was good - dyslexia was the mountain.

Sort of an odd response to a completely incorrect variable, isn’t it? Technically the issuer, not being defined, shouldn’t have tried to connect?

I get the user object now, and was able to verify the incorrect access token returned a null user. Thanks again.

konrad.sopala · December 8, 2020, 9:35am

Hey there @joseantonio.rey!

Would you be able to followup on that? Thanks!

lastneutrino · December 8, 2020, 1:59pm

I think it’s a client issue, but as a suggestion, if auth0 used Mandi Wise’s setup as a ‘hello world’ to auth0, it would go a lot smoother. In terms of the other issue, forgetting about the local us domain in the uri, a request to that uri should return an error, that’s an auth0 issue.

joseantonio.rey · December 14, 2020, 2:22pm

Sorry - I’ve been off last week.

This is indeed a client error, as @lastneutrino mentioned.

system · December 29, 2020, 2:22pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.