I have read just about every post where people are having issues with returned opaque JWTs after authentication. I have my Application and API registered. I understand in order to receive back a non-opaque JWT you must provide the ‘audience’ parameter in the request. But here is the problem:
The library for the Authenticator (auth.go) doesn’t support passing the audience parameter:
func New() (*Authenticator, error) {
provider, err := oidc.NewProvider(
context.Background(),
“https://”+os.Getenv(“AUTH0_DOMAIN”)+“/”,
)
if err != nil {
return nil, err
}
conf := oauth2.Config{
ClientID: os.Getenv("AUTH0_CLIENT_ID"),
ClientSecret: os.Getenv("AUTH0_CLIENT_SECRET"),
RedirectURL: os.Getenv("AUTH0_CALLBACK_URL"),
Endpoint: provider.Endpoint(),
Scopes: []string{oidc.ScopeOpenID, "profile"},
}
return &Authenticator{
Provider: provider,
Config: conf,
}, nil
}
Any idea if this is a bug or am I missing something?
In the meantime, since many people have had this issue for over a year now… I figured I would write around the issue.
Once the user has authenticated successfully (using Universal Login), I issue another request to grab the JWT using the audience parameter as such:
type tokenResponse struct {
AccessToken string json:"access_token"
ExpiresIn string json:"expires_in"
TokenType string json:"token_type"
}
func Handler() {
var token tokenResponse
url := "https://" + os.Getenv("AUTH0_DOMAIN") + "/oauth/token"
payload := strings.NewReader("{\"client_id\":\"" + os.Getenv("AUTH0_CLIENT_ID") + "\",\"client_secret\":\"" + os.Getenv("AUTH0_CLIENT_SECRET") + "\",\"audience\":\"" + os.Getenv("AUTH0_AUDIENCE") + "\",\"grant_type\":\"client_credentials\"}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("content-type", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
_ = json.Unmarshal(body, &token)
myJWT := token.AccessToken
}
Not optimal but it works. Hope this helps someone.
1 Like