Auth0 Home Blog Docs

Use of unverified_claims in django api quickstart doesnt work

On the quickstart - https://auth0.com/docs/quickstart/backend/django#configure-auth0-apis . It has some example code::

import jwt

....

            token = get_token_auth_header(args[0])
            unverified_claims = jwt.get_unverified_claims(token)
            token_scopes = unverified_claims["scope"].split()

Now the module jwt does not have a function get_unverified_claims (it does have get_unverified_header) but jose does, so I changed it to::

from jose import jwt

Now it fails on the next line with::

jose.exceptions.JWTError: Error decoding token claims.

Token looks like this::

'cGhvZWJlQGhvcnNldGVjaC5pZTpWYWxlZ3JvX18xMTc='

Before I go any further, can anyone confirm whether this code should use the jwt module and be called get_unverified_header or whether it should be using jose, and if jose, where the problem might be?

Hi Phoebe,

The token you have is an opaque token, not JWT token, which is why the jose module cannot decode it. More about the 2 types of token: https://auth0.com/docs/tokens/access-tokens#access-token-structure

To get a JWT access token, you need to pass the audience parameter while you make the authorization request to get the access token.

If you used the Django Webapp Quickstart to get the access token, you can add the AUTH0_AUDIENCE parameter to the .env file:

AUTH0_AUDIENCE=YOUR_API_IDENTIFIER

and specify the scope in # webappexample\settings.py file as below:

# webappexample\settings.py 

SOCIAL_AUTH_AUTH0_SCOPE = [
    'openid',
    'profile',
    'email',
    _SCOPE_OF_YOUR_API_
]
2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.