Keep getting Invalid token audience "{some_audience_here}" error when trying to validate a token

mattwade · March 28, 2019, 10:25am

I am developing two integrations to Auth0, one is a single page JS app that the user interacts with for authorization. The other is a Laravel API which will handle the business logic.

Basically it’s this exact flow:

I’ve got the JS app working fine, it calls the relevant “Application” on Auth0 and returns me an “access_token” (I am setting the “audience” attribute on the auth call to the relevant Client ID in my API).

The JS frontend then sends this access_token to my Laravel API which has integrated the basic “quick start” guide from Auth0 for Laravel APIs. The fail happens in the middleware where it takes the token from the header and tries to verify it with Auth0. As soon as it does this I get an “Invalid token audience” error. It shows me the expected audience which IS the audience I have attached to the Auth0 API I created and being used by my Laravel API.

My middleware class is as follows:


namespace GiveToLocal\Http\Middleware;

use Auth0\Login\Contract\Auth0UserRepository;
use Auth0\SDK\Exception\CoreException;
use Auth0\SDK\Exception\InvalidTokenException;
use Closure;

class CheckJWT
{
    protected $userRepository;
    
    /**
     * CheckJWT constructor.
     *
     * @param Auth0UserRepository $userRepository
     */
    public function __construct(Auth0UserRepository $userRepository)
    {
        $this->userRepository = $userRepository;
    }
    
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $auth0 = \App::make('auth0');

        $accessToken = $request->bearerToken();
        try {
            $tokenInfo = $auth0->decodeJWT($accessToken);
            $user = $this->userRepository->getUserByDecodedJWT($tokenInfo);
            if (!$user) {
                return response()->json(["message" => "Unauthorized user"], 401);
            }

            \Auth::login($user);
        } catch (InvalidTokenException $e) {
            return response()->json(["message" => $e->getMessage()], 401);
        } catch (CoreException $e) {
            return response()->json(["message" => $e->getMessage()], 401);
        }

        return $next($request);
    }
}

And it fails with the following error:
{"message":"Invalid token audience {my_adience}, {my_auth0_domain}.eu.auth0.com\/userinfo; expected {my_api_client_id}, "}

mattwade · March 28, 2019, 11:05am

For anyone else that comes across this:

In getting to my results I followed the Laravel API Authorization guide(s) here:

The problem being the “sample app” you can download, differs from the library that it tells you to install on your own Laravel instance with this command: composer require auth0/login:"~5.0"

I drilled in to the SDK and found that the published config differed, the one above had this section commented out:

/*
    |--------------------------------------------------------------------------
    |   The authorized token audiences
    |--------------------------------------------------------------------------
    |
    */
    // 'api_identifier'  => '',

Which means the “audience” was not being passed to Auth0 with the token hence the invalid audience error. I switched this config for:

/*
    |--------------------------------------------------------------------------
    |   The api identifier
    |--------------------------------------------------------------------------
    |   This is used to verify the decoded tokens when using RS256
    |
    */
    'api_identifier'  => getenv('API_IDENTIFIER'),

And ensured the relevant .env var was set as API_IDENTIFIER

This resolved the issue.

Also note that the config var for the Auth0 domain:

'domain' => env( 'AUTH0_DOMAIN' ),

Differs in the sample app as it injects the https and trailing slash. I had to ensure I had the full url in the .env file as opposed to just the domain portion defined in the sample app.

josh.cunningham · March 29, 2019, 11:33pm

@mattwade - Apologies for the trouble there and glad you got it figured out. I’ve got a pull request in to our docs team that addresses exactly this as the instructions are currently not very clear.

Let us know if anything else comes up!