Auth0 Home Blog Docs

Unable to validate id_token in Spring Application / Unable to get access token as JWT

id_token
spring
java
express
express-jwt

#1

Hello,
I have been struggling for 2 weeks to use Auth0 successfully. I have created an application using React and Node(+Express). This side communicates with my APIs (Spring Boot Applications). I am using passport.js to save the token so as to use it to my requests and i have created an Auth0 Strategy for this ( as suggested here: https://github.com/auth0/passport-auth0 ) After a successful login i manage to get 2 tokens one id_token in JWT format one access token not in JWT format. Although the id token can be verified in JWT.io Debugger with my public key (using RSA256) it cannot be verified with any of the JWT.io libraries at the java side. (Also i grabbed a test token from the /token endpoint and used this in my requests and i can confirm that it was properly verified at the java side , so i know that the JWT.io library works properly. )
So, i am not sure what is the problem here . Should i use this token for Bearer requests to my APIs? Or does the Strategy need to change?

I have given to my Application a unique identifier but i cannot generate access token in JWT format. I am using the default AUth0 login form and i can see in the network tab that the /authorize endpoint is being called which is supposed to give you the access token .
Does anyone know how i can get an access token in JWT format so i can pass it to my Spring Applications?
Any recommendation , tip , advice much appreciated.
Thank you


#2

You should not be using ID tokens to authorize requests in an API (aka resource server); the access token should be used for that.

In your scenario you should have configured in Auth0:

  • a client application that represents your React SPA application served by Node.js; the Clients section of the dashboard.
  • an API that represents your resource server served by Spring; the APIs section of the dashboard.

Having completed the above the client application should perform an end-user authentication/authorization request that includes an audience parameter with the value of the API identifier you provided when you configured your API.

When you provide an audience parameter associated with a custom API you configured then the resulting access token will indeed be a JWT; have in mind that it is a JWT because at this time that’s only format supported for custom API’s. In the future at the time you configure the API it may be also possible to select another token format.


#3