Social login gives jwe access token instead of jwt. It works fine for username-password flow

aayesha.shrestha · March 19, 2025, 4:06pm

I have a webapp with two different logins. 1. Username-password 2. Social login with Google. For username-password, I get jwt and on API calls to my backend, I decode this using JWKs. For social login, I get a jwe.

Below is my code to decode the token.

unverified_header = jwt.get_unverified_header(token)
print(unverified_header)
kid = unverified_header["kid"]
public_key = Auth0().get_public_key(kid) 
payload = jwt.decode(
       token,
       public_key,
       algorithms=["RS256"],
       audience=audience,
       issuer=issuer,
)

Log of unverified_header for username-password:
{‘alg’: ‘RS256’, ‘typ’: ‘JWT’, ‘kid’: ‘kid_value’}

Log of unverified_header for social login:
{‘alg’: ‘dir’, ‘enc’: ‘A256GCM’, ‘iss’: ‘’}

How can I change jwe to jwt for social login? Note that this is working fine for username-password flow.

rueben.tiow · March 19, 2025, 6:36pm

Hi @aayesha.shrestha,

Thanks for your question.

To get a JWT access token, you must pass in the audience query parameter in your login request.

Have you ensured that the login request for using the Google social connection to log in includes the audience query parameter?

One option is to check your network activity to verify that the audience is in the /authorize request.

For example:

https://{yourDomain}/authorize?
    response_type=code&
    client_id={yourClientId}&
    redirect_uri={https://yourApp/callback}&
    scope={scope}&
    audience={apiAudience}&
    state={state}

References:

Let me know what you find.

Thanks,
Rueben

aayesha.shrestha · March 21, 2025, 2:29am

@rueben.tiow I did have audience in the params.

Here’s my code for login and for login using socials.

auth_response = requests.post(
            f"https://{self.AUTH0_DOMAIN}oauth/token",
            json={
                "grant_type": "password",
                "client_id": self.AUTH0_CLIENT_ID,
                "client_secret": self.AUTH0_CLIENT_SECRET,
                "username": email_address,
                "password": password,
                "connection": self.AUTH0_CONNECTION,
                "audience": f"https://{self.AUTH0_DOMAIN}api/v2/",
                "scope": "openid profile email offline_access",
            },
        )

token_url = f"https://{self.AUTH0_DOMAIN}oauth/token"
payload = {
            "grant_type": "authorization_code",
            "client_id": self.AUTH0_CLIENT_ID,
            "client_secret": self.AUTH0_CLIENT_SECRET,
            "code": code,
            "redirect_uri": redirect_to,
            "connection": self.AUTH0_CONNECTION,
            "audience": f"https://{self.AUTH0_DOMAIN}api/v2/",
            "scope": "openid profile email offline_access",
}

response = requests.post(token_url, json=payload)

And then to decode the token, I am using JWKs as:

unverified_header = jwt.get_unverified_header(token)
kid = unverified_header["kid"]
public_key = Auth0().get_public_key(kid)
auth0_domain = f"https://{Settings().auth0_domain}"
audience = f"https://{Settings().auth0_domain}api/v2/"
payload = jwt.decode(
      token,
      public_key,
      algorithms=["RS256"],
      audience=audience,
      issuer=auth0_domain,
)
auth0_user_id = payload.get("sub")

The access_token from username and password is decoded and returns user id but from social login, I am unable to decode and it gives this error:
kid = unverified_header[“kid”] KeyError: ‘kid’

I then printed the unverified_header for

social login: {‘alg’: ‘dir’, ‘enc’: ‘A256GCM’, ‘iss’: ‘https://dev-appid.au.auth0.com/’}
username password login: {‘alg’: ‘RS256’, ‘typ’: ‘JWT’, ‘kid’: ‘kid_value’}

Let me know if I am doing anything wrong and how I should fix this issue.

rueben.tiow · March 25, 2025, 4:46pm

Hi @aayesha.shrestha,

Thanks for the reply.

I have checked both your code snippets, and everything looks good. Nothing stands out to me as to why you experienced different test results. I have not been able to reproduce the same behavior.

It might be worth trying to decode both your access tokens with jwt.io, and let me know if they are both decoded correctly as JWTs.

If the social login access token is still not a JWT, could you please send me a DM if your access token please?

Thanks,
Rueben

system · April 8, 2025, 4:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can I change jwe to jwt for social login? Get Help login-experience , login-prompt-new-experience	3	33	March 14, 2025
Receive an opaque `access_token` when user comes from DB but jwt if user comes from social (google) Get Help access_token , jwt-validation	6	4996	August 27, 2019
Decode JWE's access token Get Help sessions , authentication-sessions	3	7850	June 13, 2023
How to get JWT token? Get Help access-token , sessions	4	79	February 25, 2025
Social Login with Google Returns Tokens That Are Invalid for the API Get Help google , social	3	5814	March 2, 2018

Social login gives jwe access token instead of jwt. It works fine for username-password flow

Related topics