I have a svelte frontend using the auth0-spa-js library and have a django rest framework backend that I set up according to the quickstart auth0 documentation.
It works perfectly using my personal auth0 account that I was using to test with.
I then got a new domain and email set up, so created a new account for that, to separate it from my personal stuff and pushed it to production.
However, for some reason the token endpoint is returning a non-jwt token.
It’s the exact same code, and it continues to work correctly on my local dev machine with my dev credentials.
This is what my local token response looks like:
{“access_token”:“JWTACCESSTOKEN”,“scope”:“openid profile email”,“expires_in”:86400,“token_type”:“Bearer”}
This is what the production token response looks like:
{“access_token”:“NONJWTACCESSTOKEN”,“id_token”:“JWTIDTOKEN”,“scope”:“openid profile email”,“expires_in”:86400,“token_type”:“Bearer”}
Looking at the request headers, the only difference I can see is that the production headers contain sec-gpc: 1, all other headers, and the body are the same keys and have similar values.
Auth0 will supply a JWT Access Token when you provide an audience that refers to an API that you have registered in your Auth0 tenant. Otherwise, an opaque token will be returned.
I then use client.loginWithRedirect to login a user that has not yet logged in and client.isAuthenticated and client.getTokenSilently to authenticate and grab their access token after login.
This is all linked up to not an API in my dashboard, but to an Application. The API is linked to my django backend, but the non-jwt token is getting passed to that and failing.