Auth0 Home Blog Docs

Token exchange happens before my callback attempts the exchange



Hi guys,

I am running a web server on Node.js and express. My use-case is simple, I would like users to authenticate themselves using the auth0 log in portal and then stay logged in for the duration of their session whilst on the site.

The documentation for the Node JS backend states:

Your application will need to handle the request to this callback URL, extract the code query string parameter and call the /oauth/token endpoint of the Auth0 Authentication API in order to exchange the code for the ID Token


I have structured my authentication controller to:
Direct users to auth0s log in page, take the code from the query string sent to the callback function, I then attempt to request the tokens from auth0s token endpoint in my callback function, i.e. using the following code (in the documentation):
var request = require(“request”);

var options = { method: 'POST',
  url: '',
  headers: { 'content-type': 'application/json' },
   { grant_type: 'authorization_code',
 client_id: 'YOUR_CLIENT_ID',
 client_secret: 'YOUR_CLIENT_SECRET',
 redirect_uri: 'https://YOUR_URL/callback' },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);


I have done this and I repeatedly get the error: ‘{“error”:“invalid_grant”,“error_description”:“Invalid authorization code”}’.

I then checked the logs and it appears that the token exchange is being rejected because it has already happened, i.e. whenever a user logs in, there is a successful token exchange, and then an unsuccessful one (which I am assuming is the one made in my callback function).

My questions are, where does this first exchange happen? Where is the token sent to? How do I get the token out so that I can store it in the users session?