Auth0 Home Blog Docs

Unauthorized 'Invalid token' response when trying to call Authorization API

authorization-extens
api-authorization
unauthorized

#1

I’m trying to use Authorization extension in such way:

 var options = {
       method: 'POST',
       url: 'https://{MY_DOMAIN}/oauth/token',
       headers: { 'content-type': 'application/json' },
       body: {
         client_id: {CLIENT_ID},
         client_secret: {CLIENT_SECRET},
         audience: {MY_MACHINE_TO_MACHINE_APP}",
         grant_type: "client_credentials",
         scope: 'read:roles read:current_user',
       },
       json: true
     }; 

  request(options, function (error, response, body) {
       if (error) throw new Error(error);
       var options = {
         method: 'GET',
         url: 'https://{AUTHORIZATION_URL_FROM_EXPLORER}/api/roles',
         headers: {
           authorization: `Bearer ${body.access_token}`
         }
       };
       request(options, function (error, response, body) {
         if (error) throw new Error(error);
       });

First request returns correct access token. But second request always return Unauthorized 401 response with following content

 {
   "statusCode":401,"
    "error":"Unauthorized",
    "message":"Invalid token",
    "attributes":{"error":"Invalid token"}
 }

What can be the reason of this behaviour?


#3

:wave: the code you shared looks to be setup correct. The POST call to get the token looks to be setup correctly and you have the read:roles scope enabled. What version of the authorization extension do you have setup?


#4

As I understand, I use v2 Authorization extension.


#5

thanks for letting me know! and you’re using YOUR_TENANT.us.webtask.io for the AUTHORIZATION_URL_FROM_EXPLORER} value? I am going to take a look with my team if there are currently any issues with the v2 authorization extension, because your request looks correct to me.


#6

I find the issue. Sorry, it was my fault. I uncorrectly followed tutorial and not enabled API access to authorization extension. Then I created custom authorization extension API and used credentials from him. Now I enabled API access and with auto-generated API credentials this request return normal responce.


#7

Oh perfect! Glad you were able to figure out the issue!