JWT authenticate was once working on my NodeJS api, now returning a 401 error

The following is the error I receive when making an API call to my Node JS server:
401 - {“statusCode”:401,“error”:“Unauthorized”,“message”:“Expired token received for JSON Web Token validation”,“attributes”:{“error”:“Expired token received for JSON Web Token validation”}}

I used several valid access tokens from Auth0 Management API (Test and Application Explorer tab), none of which work. I also tried using access tokens retrieved from “https://[CLIENT].auth0.com/oauth/token” but same error message is returned. The weird thing is, this was working just fine yesterday.

Please help me out; thanks in advance!

Also, if it helps, everytime I go here: https://auth0.com/docs/api/management/v2, I have to set my API token again, even though I have already set it. It doesn’t seem to save

@dtr3 the API explorer will not persist your tokens. This is by design to help prevent those tokens from being leaked. As far as the error message goes I might need some more details. All JWTs expire. The access_tokens expiration is defined in the API settings for which the token was issued. So after a given interval those tokens will expire. It is unclear from the comments above, but it seems you maybe issued the token yesterday and tried reusing it today. Can you share the decoded payload of the JWT?

“iss”: “https://[CLIENT].auth0.com/”,
“sub”: “HC305sIL6C2onn8oSCLiE01VIrlbJx33@clients”,
“aud”: “https://[CLIENT].auth0.com/api/v2/”,
“iat”: 1526613405,
“exp”: 1526699805,
“azp”: “HC305sIL6C2onn8oSCLiE01VIrlbJx33”,
“scope”: “read:client_grants create:client_grants delete:client_grants update:client_grants read:users update:users delete:users create:users read:users_app_metadata update:users_app_metadata delete:users_app_metadata create:users_app_metadata create:user_tickets read:clients update:clients delete:clients create:clients read:client_keys update:client_keys delete:client_keys create:client_keys read:connections update:connections delete:connections create:connections read:resource_servers update:resource_servers delete:resource_servers create:resource_servers read:device_credentials update:device_credentials delete:device_credentials create:device_credentials read:rules update:rules delete:rules create:rules read:rules_configs update:rules_configs delete:rules_configs read:email_provider update:email_provider delete:email_provider create:email_provider blacklist:tokens read:stats read:tenant_settings update:tenant_settings read:logs read:shields create:shields delete:shields update:triggers read:triggers read:grants delete:grants read:guardian_factors update:guardian_factors read:guardian_enrollments delete:guardian_enrollments create:guardian_enrollment_tickets read:user_idp_tokens create:passwords_checking_job delete:passwords_checking_job read:custom_domains delete:custom_domains create:custom_domains read:email_templates create:email_templates update:email_templates”,
“gty”: “client-credentials”

@dtr3 the token you requested was issued at Thu May 17 2018 22:16:45 GMT-0500 (CDT) and then expired at Fri May 18 2018 22:16:45 GMT-0500 (CDT). Anytime after the expiration date the management api would no longer accept the token.

I suspect your token are expiring.

I have generated a new token and the same problem persists. I’ve synchronized my clock using NTP and my API still proclaiming the token is expired. I have made sure that the server date is before the expiration date:

“iat”: 1527014492,
“exp”: 1527100892

@dtr3 I am stumped and need to circle back and ask around. The only time I’ve seen this error is when the token expired. Given what you sent that is an unexpired token and I would expect it not to be a problem.

i assume the error is still?

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Expired token received for JSON Web Token validation”,“attributes”:{“error”:“Expired token received for JSON Web Token validation”}

Yes, exactly. My API is still returning that exact error

Hmmmmm, it looks like express sessions is the real culprit here. I set req.session to null and now my JWT tokens are being authenticated properly! Thank you for helping me out!!

Now I have to figure out how to make JWT authentication and express sessions co-exist

Great!!! Now what are you using for jwt verification? Also I like using passport js for the web app side and use node-jsonwebtoken for api side to validate. It is a bit weird to have an api also have sessions. Maybe this is part of the issue?

I ended up using https://auth0.com/docs/quickstart/backend/nodejs/01-authorization as my resource for verifying the tokens (express-jwt + other npm modules mentioned in the link). JWTs seem to act as their own “session”, with the userID encoded inside of it and “header” information from the payload, such as Issued at and Expired.

You have a point about questioning an api with sessions. I just read that server side sessions violate the stateless constraint of REST.

@dtr3 a JWT is not the same thing as a session, but I can see how one would connect those dots. JWTs are self contained authorization policies signed by the Authorization Server. Anytime you request a protected endpoint from a Resource Server (an API) you must send the JWT along with that request. The most common way is to use Authorization: Bearer xxx.yyy.zzz. The xxx.yyy.zzz represent the JWT. This in the payload portion (yyy) will contain a subject claim (sub) that indicates the user of which the authorization policy is defined. A JWT is intended to be self-contained. So this is still a stateless piece from the API’s perspective since it doesn’t have to store data on the server representing a session.

I am not sure why your validation is not working, but that sample above looks pretty good. Let me know if you have any additional questions/clarifications as you work through the code.