Spring Boot as Action Google fulfillment server with Auth0 opaque token instead JWT

I have a Spring Boot application that allows me to log in via Oauth2 after a successful login I receive a JWT token with all the required information.
I then configured Google Actions

Google Actions redirects all requests to my Spring Boot application. So when I try to connect to my Google Home service, I have the following path: request to Oauth2 → login via google account → request to Spring Boot with Bearer token (Opaque).

In the last step, I would like to get the JWT token instead of opaque. Should I always request https://.auth0.com/userinfo with bearer token after receiving a request to my Spring Boot app?
This is not very efficient, is it not possible to just pass the JWT?

You need to pass in an audience parameter to get a JWT instead of an opaque token. This issue has a workaround.

1 Like

Thank you, but I have a feeling that we did not understand each other.
Login via my spring boot app works well I get a JWT token. I have a problem with JWT token (opaque) when I’m trying connect over Google Home App.
That path doesn’t work: Open Google Home (app) → Add service → Select XYZ → it open webpage with my Auth0 page → Authorize via Google Home account → it send request to fulfillment server (my spring boot app) → on my server I get opaque token instead JWT, so I have a problem with identify user

I’m sorry. I’ve never worked with Google Home as an app developer, so I’m not sure what the problem might be. You might try posting this question on the Google Home forums if the Auth0 part is working as expected.

1 Like

Am having the same issue with opaque tokens being produced. I know the answer is to specify an aud (audience) element but thought I could do that for my application.

However, that doesn’t seem possible just for an application and when I attempt to do this as a global setting (which seems wrong anyway) that throws an error in the Auth0 app.

The documentation then goes very off piste and starts talking about APIs ?? Now I’m not sure if I need one of those as well.

Any guidance that is less confusing than the docs would be much appreciated… I just need my application to produce JWTs with an aud ? (Or if I’m barking up the wrong tree some direction) Thanks in advance.

If you don’t pass in an audience parameter to the /authorize endpoint, you will not receive a JWT. You will get an opaque access token that’s just a random string of characters. You can use it to call the /userinfo endpoint but not to your other APIs that Auth0 secures.

So long story short I worked it out. There is a serious lack of knowledge or working examples of using Auth0 with Google Actions so have written a short blog on the solution I’ve ended up with.

The answer was to add an audience as a request parameter e.g.

Fulfillment URL = https://auth-hostname.eu.auth0.com/authorize?audience=https://actionhub.co.uk/

Hope that helps someone else.

Also if you can spot a better way then please let me know and I can update the solution. Again, seems v misleading that I needed both an M2M application and an API. Both confusing and a bit unnecessary.