Hi! I am having trouble with implementing a client-credentials flow used by a webtask script, and would really appreciate some help.
I am able to get an access_token
use the cURL command provided in the Quick Start page in my client as such:
curl --request POST \ --url https://*****.auth0.com/oauth/token \ --header 'content-type: application/json' \ --data '{"client_id":"CXG6bVUbm******PqbQOlGdlYx","client_secret":"{AUTH0_CLIENT_SECRET}","audience":"https://cmd-list","grant_type":"client_credentials"}'
Response from above request:
{"access_token":"**************","expires_in":86400,"token_type":"Bearer"}
However, I am unable to verify the returned token using the same {AUTH0_CLIENT_SECRET}
- I keep getting Unauthorized: invalid signature
. I have tried validating the token with both https://jwt.io/ and my own token validation code:
user = jwt.verify(token, authParams.clientSecret, { algorithms: 'HS256'], audience: 'https://cmd-list', issuer: 'https://*********.auth0.com/' } );
Context:
- the jwt library is
jsonwebtoken@7.1.9
required in a webtask script. - I’m trying to customize the validateToken function in the webtask-tools auth0 library since it assumes
audience
to beclientId
which is not the case. - I have also tried using
Buffer.from(authParams.clientSecret, 'base64')
as the second argument forjwt.verify()
- no dice.