/userinfo endpoint returns 401

gwesterman · November 29, 2023, 1:56pm

I have two single page applications in two different tenants.

The first app, that I set up a while ago works perfectly. Using the Auth0 SDK, calling AuthenticationClient.getProfile(token) returns the profile and everything is good.

The second app, that I’ve only recently set up, acts weirdly and I cannot figure out why. Perhaps I missed something while setting it up, but I honestly do not think that this is the case.

When I use Postman the following cURL returns the profile:

curl --location 'https://APPNAME.eu.auth0.com/userinfo' \
--header 'Authorization: Bearer TOKEN'

When I call the same endpoint using the SDK or Axios in a cloud function I receive a 401.

Using https://jwt.io/, the token is decoded like this for both apps:

HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "dir",
  "enc": "A256GCM",
  "iss": "https://APPNAME.eu.auth0.com/"
}

PAYLOAD:DATA

""

VERIFY SIGNATURE

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
)

I would expect a more detailed error message in Monitoring > Logging, but nothing in regards to the failed attempt shows up there.

A side-by-side comparison of the two environments yields no clues. How do I figure out what exactly is going wrong?

rueben.tiow · November 29, 2023, 8:06pm

Hi @gwesterman,

When using the /userinfo endpoint, it requires an opaque token. If you attempt to decode an opaque token on jwt.io(meant to decode JWT access tokens), it will return the decoded token in the format you shared in your post. Generally, you will want to validate an opaque access token by using it with the /userinfo endpoint, as you have been trying.

Could you share an example of your request using the SDK and Axios, which led to the 401 error?

Thanks,
Rueben