Unable to get userinfo returns 400 bad request

I have been trying to battle with this issue, I verified that I do have "openid" scope as part of my JWT authorization flow.

But I see the following errors

POST /userinfo HTTP/1.1
Host: minio.us.auth0.com
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImwxaVNVTTB0UEc1UkRxVzBNdXlRSyJ9.eyJodHRwczovL21pbi5pby9wb2xpY3kiOiJyZWFkd3JpdGUiLCJpc3MiOiJodHRwczovL2
1pbmlvLnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2MGJmZDA2MzVkODlhNTAwNjk5YmI5MWQiLCJhdWQiOiJaODNONmhqS3daQXlwb1dYbjVpakQxVlpaWGs3ZHAyUiIsImlhdCI6MTYyMzE4NTMyNSwiZXhwIjoxNjI
zMjIxMzI1fQ.nEFmSZ0thctx_82wm_L60PzinSxb6XwVdvjGwsK2RC3G7Lp0zmtpc9ysOI_pcMQNcADi3eyBI0rt_bnaxqIzE-L5ehjmr6EooDv4X_dOSuG1BnWzbct0lxA0GvuNuIb7dloHKIcKaC44sNHjcBvVsKJonF7aP
JqP4BauWSJEqSsqjIrKAchrxVr-h4JpSPRJjGUqTjSPTgsixZMIDLS3RU35fSwdgfWzxMSfCilWRwwkY4ZRMH_jvBU9c3H-_sXEKkLZ4j-kwk0rCNVFK5Gqjl8xIIGtnYPk9HQG6pindxtuerQpR6fEsRsfs4dld-mB0QSixu
utAAaGrtelviDPHA


HTTP/1.1 400 Bad Request
Content-Length: 2246
Access-Control-Allow-Credentials: false
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
Alt-Svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-transform
Cf-Cache-Status: DYNAMIC
Cf-Ray: 65c4fb9b8a603af7-SJC
Cf-Request-Id: 0a8efb953d00003af7218a5000000001
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Date: Tue, 08 Jun 2021 20:48:45 GMT
Etag: W/"8c6-ASVLHJI6NPi7Mg60GCPQ1MrrRu8"
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Ot-Baggage-Auth0-Request-Id: 65c4fb9b8a603af7
Ot-Tracer-Sampled: true
Ot-Tracer-Spanid: 01118e9c07c165ea
Ot-Tracer-Traceid: 430215c00c33786c
Server: cloudflare
Set-Cookie: did=s%3Av0%3Aeacd1640-c89a-11eb-9b24-65a1e012a565.aCx%2BGc37YoyULtP1u%2FREvfckGmgSpGJT1eUtgufUae0; Max-Age=31557600; Path=/; Expires=Thu, 09 Jun 2022 02:48:4
5 GMT; HttpOnly; Secure; SameSite=None
Set-Cookie: did_compat=s%3Av0%3Aeacd1640-c89a-11eb-9b24-65a1e012a565.aCx%2BGc37YoyULtP1u%2FREvfckGmgSpGJT1eUtgufUae0; Max-Age=31557600; Path=/; Expires=Thu, 09 Jun 2022
02:48:45 GMT; HttpOnly; Secure
Strict-Transport-Security: max-age=31536000

Vary: Origin
X-Auth0-Requestid: 20acaa4e6df9b3f446c4
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 300
X-Ratelimit-Remaining: 299
X-Ratelimit-Reset: 1623185326

<html>
  <head>
    <meta charset="utf-8">
    <link href="https://cdn.auth0.com/styleguide/latest/index.min.css" rel="stylesheet" />
    <link rel="stylesheet" href="https://cdn.auth0.com/backend-templates/main.css">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>minio</title>
  </head>
  <body>
    <div class="unhandled-error-cont tenant-error-cont ">
      <div class="error-header">
        <span class="error-icon">

          <span class="error-face">
            <span class="error-face-eye left-eye eye-blink"></span>
            <span class="error-face-eye right-eye eye-blink"></span>
            <span class="error-mouth"></span>
          </span>

        </span>
        <h3 class="error-title">minio</h3>

          <h3 class="error-subtitle">Oops!, something went wrong</h3>

      </div>
      <div class="error-body">
        <p class="error-message">

          There could be a misconfiguration in the system or a service outage. We track these errors automatically, but if the problem persists feel free to contact us.<br/>Please try again.

        </p>
      </div>
      <div class="error-footer">
        <div class="footer-groups cf">
          <span class="footer-group">
            <i class="footer-group-icon read-docs"></i>
            <h4 class="footer-group-title">TECHNICAL DETAILS</h4>
            <a href="#" class="toggle-details">See details for this error</a>
          </span>
          <span class="footer-group">
            <h4 class="footer-group-title">SUPPORT</h4>

              <p class="footer-group-detail">Please contact the systems administrator.</p>

          </span>
        </div>
        <div class="error-details">
          <p class="error-status">

            clientID cannot be null

          </p>



          <span class="error-id">
            <span class="error-id-title">TRACKING ID: </span><span class="error-id-content">20acaa4e6df9b3f446c4</span>
          </span>

        </div>
      </div>
    </div>
    <script src="https://cdn.auth0.com/backend-templates/main.js?v=1"></script>
  </body>
</html>

I am not sure what this means

        <div class="error-details">
          <p class="error-status">

            clientID cannot be null

         </p>

The claims seem to be perfect from what I can expect

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "l1iSUM0tPG5RDqW0MuyQK"
}.{
  "https://min.io/policy": "readwrite",
  "nickname": "test",
  "name": "test@m.io",
  "picture": "https://s.gravatar.com/avatar/08c1042729aee713f654455336f104fc?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fte.png",
  "updated_at": "2021-06-08T20:33:54.263Z",
  "email": "test@m.io",
  "email_verified": true,
  "iss": "https://minio.us.auth0.com/",
  "sub": "auth0|60bfd0635d89a500699bb91d",
  "aud": "Z83N6hjKwZAypoWXn5ijD1VZZXk7dp2R",
  "iat": 1623184434,
  "exp": 1623220434,
  "nonce": "U1cuN16R9U8qvygZ"
}.[Signature]

any help here would be greatly appreciated - thanks

NOTE: Before anyone asks have you tried GET instead of POST for /userinfo - yes I have and the error response is the same.

Hi @y4m4,

Welcome to the Community!

Can you show us how you are requesting the token? It looks like it may be missing the right audience.

@dan.woda I am requesting using normal mechanisms minio/web-identity.go at master · minio/minio · GitHub

The flow is regular oauth2 flow with client_id and client_secret - what I want to do is use the token obtained from this to be sent to userinfo endpoint.

I have also added the decoded claims from the regular JWT.

The decoded token example and the token from the request are different. It looks like the encoded token from the request is an Access Token, and the decoded token you provided is an identity token.

I also don’t see you sending an audience param in the request (although I see one in the access token you sent). Because of this, you should receive an opaque (non-JWT) token in return. I’m not sure how you got that access token.

Can you DM me a HAR file of the auth transaction?