SPA SDK access token isn't a decodable JWT?

Help
,
1

With the old WebAuth sdk, the access token was a large-ish JWT that included a “sub” parameter, so I could, for example, decode it on my Django API server and use middleware to look up a user record and perform fine-grained app level permissioning in my GraphQL resolvers, etc.

With the new SPA SDK, the access token returned is a short little thing that doesn’t decode as a JWT. The node example here: https://github.com/auth0-samples/auth0-react-samples/blob/master/02-Calling-an-API/server.js appears to just be validating that Auth0 correctly signed the token, but there’s no way to get the info out of it.

Am I missing an important bit of conceptual understanding? It’s been a pretty long day.

2

See here:

To get a JWT, you’ll need to specify an audience.

John

3

I’m having a similar issue getting the spa sdk to return a jwt formatted access token. However, I am passing the audience. Are there any code samples available?

4

You are likely missing the scope=openid parameter. That should return a richer JWT. The shorter access_token is useful to retrieve the user profile. (which would return the sub property too, but would require a new network call)

Your API should always validate the integrity of the token (e.g. signature, expiration, etc).

5

There was an incorrect audience in the call, so this is fixed. Thanks for your help.

6

Perfect to hear that @gavindoughtie and thanks for sharing!

7

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.