"Service not found" Error With Client ID

r.schuster3 · August 3, 2018, 5:29pm

While trying to login using OpenID Connect (at the /authorize endpoint) I immediately get an access_denied response from Auth0. When I go to logs in Auth0, I see this error:

{
  "date": "2018-08-03T17:16:49.238Z",
  "type": "f",
  "description": "Service not found: *****",
  "connection_id": "",
  "client_id": "******",
  "client_name": "Editor UI Test",
  "ip": "*****",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
  "details": {
    "body": {},
    "qs": {
      "audience": "******",
      "state": "bgcbjwivth",
      "redirect_uri": "https://******.com/api/sso/openid-backend",
      "response_type": "code",
      "client_id": "*****",
      "scope": "openid email"
    },
    "error": {
      "message": "Service not found: ****",
      "oauthError": "access_denied",
      "type": "oauth-authorization"
    }
  },
  "hostname": "[tenant].auth0.com",
  "log_id": "90020180803171649238129015640224429796132571207373422706"
}

I know that client ID is correct. I even created a new Auth0 application and updated my web app’s settings to reflect its new client ID, but got the same error. What’s going on?

bruno.krebs · August 3, 2018, 9:04pm

Hello there, Ryan.

You are probably using the wrong audience (a.k.a. API Identifier). For security purposes, we have removed sensitive data from your original message but, there, I could see that you used the client ID as the audience.

Note that you have to create an Auth0 API to represent your backend API or you can use https://[your-tenant].auth0.com/userinfo if you want to retrieve an access_token to use the /userinfo endpoint.

If this doesn’t help you, please, let me know and I can further investigate this with you.

r.schuster3 · August 3, 2018, 9:13pm

In our particular application we don’t need to talk to the/ userinfo endpoint. We just need to use the auth and token endpoints. Do I need an audience parameter to access the /authorize endpoint? OpenID Connect specs seem to think not. Could I leave that parameter out of our request?

r.schuster3 · August 3, 2018, 9:17pm

Also, this was working for me before. I added some new users and it no longer does.

bruno.krebs · August 3, 2018, 9:41pm

In that case, I believe you can simply remove the audience from your call to /authorize.

r.schuster3 · August 3, 2018, 9:45pm

Sounds good. Thanks!

bruno.krebs · August 3, 2018, 9:48pm

Let me know if it works.