"Service not found" Error With Client ID

While trying to login using OpenID Connect (at the /authorize endpoint) I immediately get an access_denied response from Auth0. When I go to logs in Auth0, I see this error:

{
  "date": "2018-08-03T17:16:49.238Z",
  "type": "f",
  "description": "Service not found: *****",
  "connection_id": "",
  "client_id": "******",
  "client_name": "Editor UI Test",
  "ip": "*****",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
  "details": {
    "body": {},
    "qs": {
      "audience": "******",
      "state": "bgcbjwivth",
      "redirect_uri": "https://******.com/api/sso/openid-backend",
      "response_type": "code",
      "client_id": "*****",
      "scope": "openid email"
    },
    "error": {
      "message": "Service not found: ****",
      "oauthError": "access_denied",
      "type": "oauth-authorization"
    }
  },
  "hostname": "[tenant].auth0.com",
  "log_id": "90020180803171649238129015640224429796132571207373422706"
}

I know that client ID is correct. I even created a new Auth0 application and updated my web app’s settings to reflect its new client ID, but got the same error. What’s going on?

Hello there, Ryan.

You are probably using the wrong audience (a.k.a. API Identifier). For security purposes, we have removed sensitive data from your original message but, there, I could see that you used the client ID as the audience.

Note that you have to create an Auth0 API to represent your backend API or you can use https://[your-tenant].auth0.com/userinfo if you want to retrieve an access_token to use the /userinfo endpoint.

If this doesn’t help you, please, let me know and I can further investigate this with you.

4 Likes

In our particular application we don’t need to talk to the/ userinfo endpoint. We just need to use the auth and token endpoints. Do I need an audience parameter to access the /authorize endpoint? OpenID Connect specs seem to think not. Could I leave that parameter out of our request?

Also, this was working for me before. I added some new users and it no longer does.

In that case, I believe you can simply remove the audience from your call to /authorize.

Sounds good. Thanks!

Let me know if it works.