Not able to access /userinfo from created API

I’m trying to implement Auth0 within my SPA ( vuejs ).

  • I created an API, gave it an audience ( test.aud ) and set the signing algorithm to RS256.
  • I then went into the client that was created and set the oAuth signing algorithm to RS256.
  • In my app I’m using auth0.js, and followed the instructions to create a WebAuth() with scope = openid

All of which is working, however when I try to access the /userinfo endpoint with the JWT access_token I’m getting a 401. When I look in the token I see “aud”: “test.aud”, which I believe is the problem. From what I’ve read, aud should be an array of values, the audience I specified and https://[account].auth0.com/userinfo, but its not there.

I believe the problem is that I can’t hit that end point with the JWT token if its not in the ‘aud’, and it should be included as long as I include ‘openid’ in the scope, which I’m doing. Alternatively, if I use https://[account].auth0.com/userinfo as my audience to create the token, then I get the 16 digit opaque token, which I’m then able to use to get /userinfo, but I’m not able to us that token in a custom authorizer for my application API.

You satisfied the requirements for the access token to be issued with multiple audiences, so the most likely cause of the behavior you then observe is that one of those requirements was met only on paper and the actual implementation may have an issue. I just did a quick test by doing the same checklist and the access token returned had multiple audiences.

The points in the flow where something unexpected is happening will likely be in the actual call to the /authorize endpoint, so if you can include the actual request with all the parameters in your question that would be great (you can redact the redirect URI and client identifier if you prefer).

In addition, it might help if you include the payload of the access token issued to you, you can use jwt.io to get the actual payload and again, you can redact some of the claim values if you deem it necessary.

Thanks for the response. Here is my implementation.

I’m using the auth0-js javascript library and creating an instance of WebAuth to use the hosted login page, and I have the username / password form enabled as well as the Google and Facebook social connections, however all of my testing has been done with my Google account.

  auth0 = new auth0.WebAuth({
    domain: '[account].auth0.com',
    clientID: '[my client id]',
    redirectUri: 'http://localhost:8081/callback'
    audience: 'test.aud',
    responseType: 'token id_token',
    scope: 'openid profile'
  })

Upon clicking my login button, I then call

this.auth0.authorize()

Once I complete the login, I’m issues an access_token, id_token, and expiration token. The access token payload ends up looking like this…

{
  "iss": "https://[account].auth0.com/",
  "sub": "google-oauth2|[my id]",
  "aud": "test.aud",
  "iat": 1509124569,
  "exp": 1509131769,
  "azp": "eG1vbWWNreOD6fJy3AatuIMn36fCI9VN"
}

As you can see the “aud” is a single value, not an array as you’d expect. Clearly, I’m doing something wrong, but I’m just not seeing it, any help you can provide would be greatly appreciated.

Continued to try different configuration combinations and I’m still having no luck. I thought I would also include my API / Client configurations here to see if there is something I’m doing wrong on the Auth0 side.

I believe my API setting are all defaults for RS256

Identifier: [generated]
Token Expiration: 86400
Token Expiration for Browser: 7200
Allow Skipping User Consent: On
Allow Offline Access: Off
Signing Algorithm: RS256
Scopes: None Specified
Non Interactive Clients: None Specified

The configuration for my client is as follows

Name: [Company Name]
Domain: [account].auth0.com
Client Id: [generated]
Client Secret: [generated]
Description: None Specified
Client Logo: None Specified
Client Type: Single Page Application
Token Endpoint Authentication Method: [DISABLED]
Allowed Callback URLS: http://localhost:8081/callback
Allowed Web Origins: None Specified
Allowed Logout URLs: None Specified
Allowed Origins (CORS): None Specified
JWT Expiration: 36000
Use Auth0 instead of the IdP to do SSO: Off

Advanced Settings:
Application Metadata: None Specified
Mobile Settings: None Specified
OAuth: 
Allowed APPs / APIs: None Specified
JSONWebToken Signature Algorithm: RS256
OIDC Conformant: Off
Cross Origin Authentication: Off
Cross Origin Authentication Location: None Specified
Grant Types: Implicit
Endpoints: Unchanged from defaults

Please let me know if anything here seems misconfigured, I’m still unable to get the /userinfo end point added to my “aud” within my allow_token and in turn not able to retrieve the profile for my users.

Also, I’ll mention that I’m on the Free Tier, not sure if that would have any bearing on the situation.

Thanks.
@jmangelo

After banging my head on the keyboard for a few days I was able to resolve the issue, unfortunately I don’t know exactly what the issue was. Both my configuration in Auth0 and my implementation seemed correct, so I wanted to make sure nothing else was interfering. I remembered that when I first setup my account, and did a walk through with an Auth0 representative he has helped me install the Auth0 Authorization extension and setup some rules. I’m really not sure what was in the setup, or the rules since they were both done months ago, but I uninstalled that extension, and suddenly everything started working properly, and now by JWT token has the proper “aud” including the ‘/userinfo’ endpoint.

I hate solving a problem and not really understanding the cause, especially since it won’t really help anyone else in the future with a similar problem, but its working for me now and I’m move on.

Thanks.