I am developing two integrations to Auth0, one is a single page JS app that the user interacts with for authorization. The other is a Laravel API which will handle the business logic.
Basically it’s this exact flow:
I’ve got the JS app working fine, it calls the relevant “Application” on Auth0 and returns me an “access_token” (I am setting the “audience” attribute on the auth call to the relevant Client ID in my API).
The JS frontend then sends this access_token to my Laravel API which has integrated the basic “quick start” guide from Auth0 for Laravel APIs. The fail happens in the middleware where it takes the token from the header and tries to verify it with Auth0. As soon as it does this I get an “Invalid token audience” error. It shows me the expected audience which IS the audience I have attached to the Auth0 API I created and being used by my Laravel API.
My middleware class is as follows:
namespace GiveToLocal\Http\Middleware;
use Auth0\Login\Contract\Auth0UserRepository;
use Auth0\SDK\Exception\CoreException;
use Auth0\SDK\Exception\InvalidTokenException;
use Closure;
class CheckJWT
{
protected $userRepository;
/**
* CheckJWT constructor.
*
* @param Auth0UserRepository $userRepository
*/
public function __construct(Auth0UserRepository $userRepository)
{
$this->userRepository = $userRepository;
}
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$auth0 = \App::make('auth0');
$accessToken = $request->bearerToken();
try {
$tokenInfo = $auth0->decodeJWT($accessToken);
$user = $this->userRepository->getUserByDecodedJWT($tokenInfo);
if (!$user) {
return response()->json(["message" => "Unauthorized user"], 401);
}
\Auth::login($user);
} catch (InvalidTokenException $e) {
return response()->json(["message" => $e->getMessage()], 401);
} catch (CoreException $e) {
return response()->json(["message" => $e->getMessage()], 401);
}
return $next($request);
}
}
And it fails with the following error:
{"message":"Invalid token audience {my_adience}, {my_auth0_domain}.eu.auth0.com\/userinfo; expected {my_api_client_id}, "}