I got into a problem. I’m finalising my API (Laravel) end doing some test. Almost everything goes well. Here the problem:
- I login with Lock and retrieve the “access_token” and “id_token”.
- I tried to reuse the id_token to access my API via Postman, then I got a “Unauthorized user”
-I tried the Postman Auth0 method “Returns a user profile based on the Auth0 access token” to test my tokens: works with access_token (get the user profile), dost work with id_token; get “Unahorized” response. If a log the error in “Auth0JWTMiddleware.php” I catched “CoreException: Auth0\SDK\Exception\CoreException: Signature verification failed in /var/www/vendor/auth0/auth0-php/src/JWTVerifier.php:139”
- Then I test the id_token in https://jwt.io/ and get “Invalid signature”
I’m stuck, where may I look? May you help me please?
answer after succesful login: https://myApp/auth0/callback#access_token=ppbgMIxXayx4Son9&expires_in=86400&id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InRlc3RAdGVzdC5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHBzOi8vYWx0aXR1ZGUtc3BvcnRzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OTUyYWMzZGU2NDBiYzNhOWZhYmJiMGEiLCJhdWQiOiJJNFFvdTdZWjVQUTZqM1A1eXo3TEthR3RzT2lmRTVYUiIsImV4cCI6MTQ5ODcwNDE4MSwiaWF0IjoxNDk4NjY4MTgxLCJhdF9oYXNoIjoiajNrd2w0V0tFSk93d2JjUEFFbDQ5ZyJ9.dR8KamTGQ6I_2CXWfwozRrRU7qCzv6LqUwTsVU-q11k&token_type=Bearer
If you are using the OIDC conformant flows, you should be passing the access_token
to your API, not the id_token
. I suggest going through our Laravel API quickstart which outlines this:
The reason for the Invalid Signature error on jwt.io is because you have not decoded the token using the client secret. If you paste your Client Secret in the secret
input box under the Verify Signature heading, it should successfully verify.