I’m currently encountering an issue where I receive an opaque token instead of the expected JWT when using the client credentials grant to authenticate against my API. I’ve verified that my API configuration and the audience parameter are correctly set up in the Auth0 dashboard, yet the issue persists. Below is the curl command I’m using to request the token:
curl --request POST
–url ‘https://{DOMAIN}/oauth/token’
–header ‘content-type: application/json’
– data grant_type: “client_credentials”
– data client_id: “CLIENT_ID”
– data client_secret: “CLIENT_SECRET”
– code: url parameter code
– data redirect_uri: “https://APP/callback”
– data audience: “API_IDENTIFIER”
I’ve ensured the following:
The audience parameter matches exactly the API identifier set in the Auth0 dashboard.
I’m using Wized to do the request.
Given this setup, I was expecting to receive a JWT to facilitate API access, but instead, I receive an opaque token. This outcome is puzzling, especially since the audience parameter is correctly specified, which typically triggers JWT issuance.
Could anyone provide insights or suggestions on what might be causing this issue or what further steps I could take to diagnose and resolve it? Any advice on additional configurations to check or common pitfalls to avoid would be greatly appreciated.
Hmm that’s odd What makes you think it’s opaque? Do you see any claims (iss, sub, aud, etc.) when you paste the token in jwt.io? Is there a reason you are passing a redirect_uri as it’s not a required (nor relevant) in a client credentials exchange.
I realize now that my initial message was missing some crucial information that I have updated now, and I appreciate your patience. Let me address your questions:
On the Token Being Opaque: The reason I believed the token to be opaque is based on the format of the response I received from my curl request. Here’s a redacted version of the token for privacy:
When I attempted to decode this token on jwt.io, it indicated an invalid signature. Furthermore, the structure of the token, notably the presence of two consecutive periods (…) led me to understand it as opaque, according to this documentation Link opaque token I consulted.
Regarding the redirect_uri Parameter: Your point about the redirect_uri not being required or relevant in a client credentials exchange is well-taken. I included it following the documentation about the “Call Your API Using the Authorization Code Flow” Call Your API Using the Authorization Code Flow.
I hope this clarifies the confusion and gives more insight into the issues I’m facing. If there are any further steps I can take or additional details I can provide to resolve this matter, please let me know. Your guidance is greatly appreciated!
The authorization code flow referenced there is a user based flow, whereas client credentials doesn’t involve a user. Have you tried constructing a cURL request based on the example here?