OPError: invalid_token (The access token signature could not be validated

My JWT is this. As you can see, it has two audiences specified.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjlKbThTUDF3VGlnb0M0dHNETlZpRiJ9.eyJodHRwczovL215Y29tZWR5dGlja2V0cy5jb20vcm9sZXMiOlsiYWRtaW4iLCJjbHViLW1hbmFnZXIiLCJjb21pYyJdLCJpc3MiOiJodHRwczovL2xvZ2luLm15Y29tZWR5dGlja2V0cy5jb20vIiwic3ViIjoiZ29vZ2xlLW9hdXRoMnwxMDE4MzMyNjg2NTYzMDUyMzU3NTciLCJhdWQiOlsicHVuY2hsaW5lL2FwaSIsImh0dHBzOi8vcHVuY2hsaW5lLnVzLmF1dGgwLmNvbS91c2VyaW5mbyJdLCJpYXQiOjE2NzkyOTEzOTUsImV4cCI6MTY3OTM3Nzc5NSwiYXpwIjoiRUtRd0F1bGxka2Z5MUV3QUdnS0JPQ1BlOTJYVmFWYlYiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwicGVybWlzc2lvbnMiOltdfQ.AohSNUg0qlpsTmY4rqWRlkAOxgeiBNeFYP3vV0ynMOzfzvncTBz9zViCLb6nv1YJm5d3PN4pozMG_G-TGlcjWNzcUSfm7xQ0Wo-d-iF1l_IpDivXcXVMC6OBEhCp3CxO6uw_Qpixqa85rINyaPUsofdAZnTjlJ8y_b9wHGyETbhDxf_4DfwwDtuDBJvFHamWTIz_pB3p0I4mZJycKk9eUoTiaIJlJA8Chco7Iz5EeW_VxKxUcM35uYoq4p5d8Iro3Bwfu3PuZDGln9IzVrGEp5ojysEUtVaSd23UOJy_FqmojEQUO6Yr7u7VJa6fYn6o0odWO6_x7QZztH8Ux4bv9A

I presume (maybe incorrectly) that I need to specify two audiences in the initial auth config:

            authRequired: false,
            auth0Logout: true,
            idTokenSigningAlg: "RS256",
            authorizationParams: {
                scope: 'openid profile email',
                response_type: 'code',
                response_mode: 'form_post',
                audience: 'punchline/api'
            },

However, audience is a string parameter and cannot take multiple (i tried separating with space but it didn’t work). I assume this is why I’m getting:

OPError: invalid_token (The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens)

Is this correct?

Can someone from Auth0 speak to this?

Hey there @Arsenalist (nice username :soccer: :wink: )!

Where exactly are you getting this error, your API? The token you shared is RS256 - The /userinfo audience is added by default so need to add any extra audience param.

Keep us posted!

I get this error when I call const userInfo = await req.oidc.fetchUserInfo();

1 Like

Thanks for confirming - Do you get the same error when using an access token and calling /userinfo manually?

  curl --request GET \
  --url 'https://{yourDomain}/userinfo' \
  --header 'Authorization: Bearer {ACCESS_TOKEN}' \
  --header 'Content-Type: application/json'

Thank you. It works fine in the curl call.

I am calling this in the calback which you provide in the auth middleware. The session value (third parameter) has the right info but this call fails.

I got this message from the paid support channel. I’m not sure this is actually correct. My use case is so simple. I’m literally just trying to retrieve user info from one API (punchline/api).

Thank you for contacting Auth0 Support, I’m glad to assist. Unfortunately, it is not possible to obtain a token to be used against multiple APIs as audience values, as you mentioned. The best approach to handle this is to obtain a token per API within your app. You may consider also the approach of using a logical API that represents multiple APIs in your system which is outlined in the following docs: Configure Logical API for Multiple APIs

Hey @Arsenalist thanks for the update.

I don’t think that information is correct either when it comes to the /userinfo audience, see this post.

While I’m still not positive what the issue could be in your particular implementation, I spent some time digging into this today and was successfully able to call fetchUserInfo() - I added some code to our auth0-express-web-app sample to accomplish this. If you are interested in trying my updated sample yourself, you can find it here.

You should just need to clone it, cd into 01-login, npm install, add your own .env file (below), and run npm start:

CLIENT_ID={your_client_id}
ISSUER_BASE_URL={https://your_domain.us.auth0.com}
SECRET={random_string}
clientSecret={your_client_secret}
PORT=3000

Hope this helps!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.