Setup OIDC Server to use with Plaid Core Exchange

amol · September 6, 2023, 5:25pm

I’m working on setting up our application with Plaid’s Core Exchange network (Introduction – Plaid Core Exchange). They mention we can use auth0 to be our OIDC server but I don’t see any docs around this or how to get started.

Can someone help?

dan.woda · September 8, 2023, 6:02pm

Hi @amol

Welcome to the Auth0 Community!

I took a look at Plaid’s Authentication – Plaid Core Exchange document, and it appears you should be able to create an Application within Auth0 to represent Plaid and authenticate that way.

Here’s how to create an app in Auth0:

amol · September 14, 2023, 6:04pm

Thanks Dan!

I’m actually just using our existing Auth0 application that we have setup in Auth0. Our user app is a NextJS app using NestJS as our backend. We use NextAuth and Passport to handle all user validation. I was able to successfully receive an access token from Auth0 through Plaid. However, the access token is invalid and we get a 401 when Plaid sends a request to our app backend. This is because Passport is unable to validate the token.

On the backend, we have setup our NextAuth callbacks as below:

callbacks: {
    async jwt({ token, account }) {
      if (account?.access_token) {
        token.accessToken = account.access_token;

        const me = await axios.get(`${process.env.NEXT_PUBLIC_API_URL}/user`, {
          headers: {
            Authorization: `Bearer ${token.accessToken}`,
          },
        });

        token.user = me.data as SessionUserInterface;
      }

      return token;
    },
    session: ({ session, token }) => {
      const sessionKey = uuid();
      session.accessToken = token.accessToken as string;
      session.sessionKey = sessionKey;

      session.user = token.user as SessionUserInterface;

      return session;
    },
    async signIn({ account }) {
      if (!isProduction) {
        return true;
      }
      if (account?.access_token) {
        const userData = await axios.get(`${process.env.NEXT_PUBLIC_API_URL}/user`, {
          headers: {
            Authorization: `Bearer ${account?.access_token}`,
          },
        });

        const user = userData.data as SessionUserInterface;

        if (user.status === StatusEnum.ACTIVE) {
          analytics.identify({
            userId: user.id,
            traits: {
              email: user.email,
              firstName: user.profile?.firstName,
              lastName: user.profile?.lastName,
              country: user.profile?.countryCode,
            },
          });
        }
      }

      return true;
    },
  },

type or paste code here

dan.woda · September 14, 2023, 6:05pm

Are you able to decode the token and inspect the claims? You can use jwt.io

amol · September 14, 2023, 6:11pm

Yeah it has an invalid signature and there is no payload

dan.woda · September 14, 2023, 6:13pm

It sounds like you may have an opaque token:

amol · September 14, 2023, 6:14pm

So Plaid needs to hit the /userinfo endpoint with that token?

amol · September 14, 2023, 6:15pm

Or they need to include an audience parameter?

dan.woda · September 14, 2023, 6:16pm

If your app needs a JWT, add an audience param to the request.

amol · September 14, 2023, 6:31pm

that was it! thanks a lot!

dan.woda · September 15, 2023, 3:55pm

Perfect! Thanks for following up.

system · September 29, 2023, 3:56pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.