Auth0 Home Blog Docs

Management API return 401 Unauthorized


#1

Hi,

I use auth0.js in angular application.
The new auth0.WebAuth method work well but when I want use new auth0.Management method I receive an 401 Unauthorized response.
In detail, after create new WebAuth, I use Parse method of WebAuth to get access Token and Id token.
When I use my function management I have an error in dev console :
PATCH https://xxxx.eu.auth0.com/api/v2/users/auth0|5ad8b180b09f330xxxxxx

statusCode 401
error Unauthorized
message Invalid token
attributes {…}
error Invalid token

Code :

this.webAuth.parseHash((err, authResult) => {
if (authResult && authResult.accessToken && authResult.idToken) {
window.location.hash = ‘’;
this.setSession(authResult);
resolve(true);
} else if (err) {
reject(err);
} else {
resolve(false);
}
});

private setSession(authResult): void {
// Set the time that the access token will expire at
const expiresAt = JSON.stringify((authResult.expiresIn * 1000) + new Date().getTime());
localStorage.setItem(‘access_token’, authResult.accessToken);
localStorage.setItem(‘id_token’, authResult.idToken);
localStorage.setItem(‘expires_at’, expiresAt);
}

private get management() {
return new auth0.Management({
domain: this.auth0Config.domain,
token: this.getIdToken()
});
}


#2

@mike31 when you are calling the management API you need to use the access_token. It seems from this code you are using the id_token. Also, to get an access_token from Auth0 that is capable of using with the Management API you need to trigger authentication with the audience for the Management API.


#3

Hi sgmeyer,

Thank you , after check the documentation, you’re right :slight_smile:
But I have still an error with access token :

statusCode 400
error Bad Request
message Bad HTTP authentication header format
errorCode Bearer

I see on header the Authorization seems well written
Authorization Bearer XmjZzvFSGR6GE5dLfTAkWDqixxxxxxx


#4

@mike31, it seems you are using the 32 character opaque token for an access token. When you are authenticating users are you sending the audience https://{your-tenant}.auth0.com/api/v2/ with this? If so you should have received a JWT access_token instead. I suspect this error is failing because the access_token is not a JWT.

Can you share the code you are using to trigger authentication to fetch tokens? Particularly, I would like to see how the SDK, Lock, or whatever you are using for trigger auth is setup.


#5

Hi,

thank you for your feedback
indeed, my access token has not correct format (xxxx.yyyyyy.wwwww)

I’m not sure for the audience, where I can check it ?

The code to trigger auth :
I use Auth0-js v 9.5, Angular 5 app and couchDB (nosql db).
Client ID and domain are getting from couchDB (work well)

this.auth0Config = config.data.auth0;
this.webAuth = new auth0.WebAuth({
clientID: this.auth0Config.clientID,
domain: this.auth0Config.domain,
responseType: ‘token id_token’,
redirectUri: window.location.origin,
scope: ‘openid profile roles user_id name email’,
theme: {
logo: this.auth0Config.logo,
primaryColor: this.auth0Config.primaryColor
},
languageDictionary: {
title: this.auth0Config.title,
mfaInputPlaceholder: ‘Code’,
mfaLoginTitle: ‘2-Step Vérification’,
mfaLoginInstructions: ‘Veuillez entrer le code de vérification généré par votre application mobile.’,
mfaSubmitLabel: ‘S’identifier’,
mfaCodeErrorHint: ‘Utilisez des numéros’,
error: {
login: {
‘lock.mfa_registration_required’: ‘L’authentification multifactorielle est nécessaire, mais votre appareil n’est pas inscrit.’,
‘lock.mfa_invalid_code’: ‘Mauvais code. Veuillez réessayer.’
}
}
},
language: this.auth0Config.language,
});


#6

Hi,
I’ve just checked the audience and in APIs management interface I have in identifier (audience) : https://[mydomain].eu.auth0.com/api/v2/

Thks
Michael


#7

Ok after tested, I added in auth0.WebAuth this line :
audience: ‘https://’ + this.auth0Config.domain + ‘/api/v2/’,

And my access token is now in jwt format :slight_smile: but I have now a 403 forbidden error when I use new auth0.Management… :frowning:
The email and paswword are good and the user is not blocked
In access token, the scope is “scope”: “openid profile email” and I have “aud”:
[
“https://[mydomain].eu.auth0.com/api/v2/”,
“https://[mydomain].eu.auth0.com/userinfo”
],

Any ideas ?


#8

@Mike31 nice work so far. I think the last piece you need is to specify the scopes required to call the endpoint. In your example you are calling the update user endpoint. According to the API explorer docs (https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id) you need to request the update:users scope. This will inform the Auth0 to specify the authorization policy for the JWT/access_token.

image


#9

@sgmeyer Thank you :slight_smile:

I try to add these 2 scope parameters but without result.
have I misunderstood something ??

In my auth0.WebAuth method I have the line :
scope: ‘openid profile roles user_id name email update:users update:users_app_metadata’,


#10

@mike31, I don’t think you actually need update:users_app_metadata, but I am curious… can you share the decoded body of your JWT? Also, are you still getting the same error?


#11

Hi,
Yes I still the same error 403 Forbidden :frowning:

No problem, here is the decode of access token jwt:
{
“http://[mydomain].local:4200/app_metadata”: {
“roles”: [
“Delegated Admin - User”
],
“couchDB”: {
“host”: “xxxxxxxxxx-6aa9-4b05-b600-7f75ed8bbcdd-bluemix.cloudant.com”,
“name”: “develop_app”,
“key”: “yyyyyyyyyyyyyyyyyyyyyyy”,
“password”: “b8350508ba9557819c8ef003952xxxxxxxxxxxx”
}
},
“http://[mydomain].local:4200/user_metadata”: {
“family_name”: “XXXXX”,
“given_name”: “XXXXXX”
},
“iss”: “https://[mydomain].eu.auth0.com/”,
“sub”: “auth0|5ad8b180b09f330744ab1e7f”,
“aud”: [
“https://[mydomain].eu.auth0.com/api/v2/”,
“https://[mydomain].eu.auth0.com/userinfo”
],
“iat”: 1526676645,
“exp”: 1526683845,
“azp”: “VhguTED3M5I0iaFwYY0RqXFrcsEpl0Vu”,
“scope”: “openid profile email”
}


#12

@mike31 the access_token is still missing the necessary scope. If you look at the scope claim you have only openid profile email. It is missing the user scopes. You mentioned you had this webauth configured as so:

scope: ‘openid profile roles user_id name email update:users update:users_app_metadata’,

Any chance you have a rule or something filtering out scopes? From what I can tell your JWT is not being issued with the necessary scopes. Since you are doing web auth can you capture the call to /authorize endpoint? This will have quite a few get params. I want to make sure those params are being sent to authorize. Then also, can you let me know if any rules might be modifying the inbound scopes?