Hey,
The following is the error I receive when making an API call to my Node JS server:
401 - {“statusCode”:401,“error”:“Unauthorized”,“message”:“Expired token received for JSON Web Token validation”,“attributes”:{“error”:“Expired token received for JSON Web Token validation”}}
I used several valid access tokens from Auth0 Management API (Test and Application Explorer tab), none of which work. I also tried using access tokens retrieved from “https://[CLIENT].auth0.com/oauth/token” but same error message is returned. The weird thing is, this was working just fine yesterday.
Also, if it helps, everytime I go here: Auth0 Management API v2, I have to set my API token again, even though I have already set it. It doesn’t seem to save
@dtr3 the API explorer will not persist your tokens. This is by design to help prevent those tokens from being leaked. As far as the error message goes I might need some more details. All JWTs expire. The access_tokens expiration is defined in the API settings for which the token was issued. So after a given interval those tokens will expire. It is unclear from the comments above, but it seems you maybe issued the token yesterday and tried reusing it today. Can you share the decoded payload of the JWT?
@dtr3 the token you requested was issued at Thu May 17 2018 22:16:45 GMT-0500 (CDT) and then expired at Fri May 18 2018 22:16:45 GMT-0500 (CDT). Anytime after the expiration date the management api would no longer accept the token.
I have generated a new token and the same problem persists. I’ve synchronized my clock using NTP and my API still proclaiming the token is expired. I have made sure that the server date is before the expiration date:
{
…
“iat”: 1527014492,
“exp”: 1527100892
}
@dtr3 I am stumped and need to circle back and ask around. The only time I’ve seen this error is when the token expired. Given what you sent that is an unexpired token and I would expect it not to be a problem.
i assume the error is still?
{“statusCode”:401,“error”:“Unauthorized”,“message”:“Expired token received for JSON Web Token validation”,“attributes”:{“error”:“Expired token received for JSON Web Token validation”}
Hmmmmm, it looks like express sessions is the real culprit here. I set req.session to null and now my JWT tokens are being authenticated properly! Thank you for helping me out!!
Now I have to figure out how to make JWT authentication and express sessions co-exist
Great!!! Now what are you using for jwt verification? Also I like using passport js for the web app side and use node-jsonwebtoken for api side to validate. It is a bit weird to have an api also have sessions. Maybe this is part of the issue?
I ended up using Auth0 Node (Express) API SDK Quickstarts: Authorization as my resource for verifying the tokens (express-jwt + other npm modules mentioned in the link). JWTs seem to act as their own “session”, with the userID encoded inside of it and “header” information from the payload, such as Issued at and Expired.
@dtr3 a JWT is not the same thing as a session, but I can see how one would connect those dots. JWTs are self contained authorization policies signed by the Authorization Server. Anytime you request a protected endpoint from a Resource Server (an API) you must send the JWT along with that request. The most common way is to use Authorization: Bearer xxx.yyy.zzz. The xxx.yyy.zzz represent the JWT. This in the payload portion (yyy) will contain a subject claim (sub) that indicates the user of which the authorization policy is defined. A JWT is intended to be self-contained. So this is still a stateless piece from the API’s perspective since it doesn’t have to store data on the server representing a session.
I am not sure why your validation is not working, but that sample above looks pretty good. Let me know if you have any additional questions/clarifications as you work through the code.