Auth0 Home Blog Docs

Linking account error

linking-account

#1

I’m getting an error trying to link accounts: Error linking Accounts: 400

{"statusCode":400,"error":"Bad Request","message":"JWT (link_with) contains an invalid aud claim.","errorCode":"invalid_body"}.

My token request:

private async Task<AccessTokenResponse> GetToken(AuthenticationApiClient client, string email, string password)
            {
                var result = await client.GetTokenAsync(new ResourceOwnerTokenRequest
                {
                    ClientId = auth0ClientId,
                    ClientSecret = auth0ClientSecret,
                    Scope = "openid+profile",
                    Realm = "Username-Password-Authentication", // Specify the correct name of your DB connection
                    Username = email,
                    Password = password
                });
    
                return result;
            }

And here is my linking request: https://s.mail.ru/2Swi/iuuviZDh1

Any ideas how to fix this?


#2

The error in question seems to point to the fact that the ID tokens you’re using to call the account linking endpoint were not issued to the same client application. When you use the link_with approach you need to ensure that the provided ID token was issued to (aud claim) the same client application of the ID token being used in the authorization header.


#3

@jmangelo, thanks for your response.
Looks like the problem is in the scope. What is the correct way to set a several scopes for ResourceOwnerTokenRequest ?


#4

Actually I tried 2 options:

  1. Scope = “openid profile”.
  2. Scope = “openid+profile”.

In one case I’m able to get a profile with identities but I have an error with linking I described above. In another case linking is working but user profile doesn’t contain identities. This is weird…


#5

@jmangelo, thanks for your response.
Looks like the problem is in the scope. What is the correct way to set a several scopes for ResourceOwnerTokenRequest ?


#6

Actually I tried 2 options:

  1. Scope = “openid profile”.
  2. Scope = “openid+profile”.

In one case I’m able to get a profile with identities but I have an error with linking I described above. In another case linking is working but user profile doesn’t contain identities. This is weird…


#7

For that request you should separate scopes with a space because that’s how they are supposed to be provided. Have in mind that when the authentication request is performed through a GET HTTP request to the authorization endpoint then the scopes are provided in the query string of the URL and spaces should be encoded according to the rules of URL encoding. In those situations the space can be encoded as a + because the HTTP server will decode it back to a space so you may see some situations where spaces are used. However, for your situation that does not apply so use a space directly.


#8

You should use option one and have in mind that the method in question will perform an OIDC compliant authentication which means that the user information that you will be able to access by default will only be the one that is associated with standard OIDC claims (identities is not standard). You seem to be experiencing multiple unrelated problem so it may be better to focus on one at a time and update the question with all the steps to reproduce.


#9

OK, let me explain the problem in general. I’m implementing web app with a server side authentication. I need to implement linking accounts page. I’m using this sample https://github.com/auth0-samples/auth0-link-accounts-sample/tree/master/SPA. But I want to prevent user from login second time. So I’m inserting the tokens and user_id to localStorage directly. For some reason these tokens doesn’t work for Lock plugin.


#10