Using access_tokens in nodejs

I have been following your tutorials which are great and I am having difficulties finding a spesific scenario:
Looking at all of the examples and snippets we have this bit of code this bit is pretty common:

var strategy = new Auth0Strategy(
  {
    domain: process.env.AUTH0_DOMAIN,
    clientID: process.env.AUTH0_CLIENT_ID,
    clientSecret: process.env.AUTH0_CLIENT_SECRET,
    callbackURL:
      process.env.AUTH0_CALLBACK_URL || 'http://localhost:3000/callback'
  },
  function (accessToken, refreshToken, extraParams, profile, done) {
    //_accessToken is the token to call Auth0 API (not needed in the most cases)_
    // extraParams.id_token has the JSON Web Token
    // profile has all the information from the user
    return done(null, profile);
  }
);

I am referring to the accessToken. I need to reuse that same users access_token to make calls to a backend API to reteive that users details, but the access_token used in the Bearer token is giving me “Wrong number of segments”.

This token does not look the same as the accessToken the uer provided, please advise.

Hi @carolus,

Welcome back!

Can you send me the token in a DM so I can take a look at the format?

It may be an opaque token, since you have not added an audience to the request. This would not be in JWT format.

Thanks,
Dan

Hi Dan,

Here is the token I expect to get signing the user in using the lock:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5USTFORU5GUXpNMk9VVTBPVUZFUTBVM1JqbENNekEyT1RVNVJrVkdSRFpDUmpWQ01ESTFPQSJ9.eyJodHRwOi8vcGFoZS5jby91aWQiOiIxMDYwIiwiaXNzIjoiaHR0cHM6Ly9hdXRoLnBhcmNlbHNoZXJlLmNvbS8iLCJzdWIiOiJhdXRoMHwxMDYwIiwiYXVkIjpbImh0dHBzOi8vYXBpLnBhcmNlbHNoZXJlLmNvbS92MSIsImh0dHBzOi8vcGFyY2Vsc2hlcmUuZXUuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTU4MTg5MTIzMSwiZXhwIjoxNTgxOTc3NjMxLCJhenAiOiIxOXM5MDM0cUJmODBBV2N5MllsU1RNNTlVb0x2Rzd6MCIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgdXNlciIsImd0eSI6InBhc3N3b3JkIn0.zV2k3M-cDyII4ttmdqB3s9TErQNdzjNYQQUOEcK91wHuxwtdg5bamX1trmm0N7hR5m6nf0OUR72_MPzR-K7WVohRApiTFic5DIEppJfppHetJtL1LQeG6OVnABYw6nlXDWV4KEQ8C4Kaw17xBJqcTintFBfxW1zfpOngp5bGta1rDm4PLpdhQjvM3y2fE9WF40g3F46iXReyxEz1z-sZ_vgUP_s6I7g0NY_AkYnfTQSUdkufUuLQpi936CfAQlKlGPjG525yjdmn4-ELf1_sWoRGT8VJ9ppTQbGWXeVA07y3LhnWAOu1LrEuYV6O4AUgY7fY2t8HfVHji8zJ72HucA

The problem is this is not what pops out when I write the accessToken (param 1) to the console. When I then call the backen API it will obviously fail as it doen not even look like a JWT.

Thanks for looking into this.
Carolus

As @dan.woda mentioned, you may be getting an opaque token (which is just a string of random characters) rather than the JWT you are expecting. If the token you are getting is just a string of random characters, and not an encoded JWT (string + '.' + string + '.' + string) then it is most likely an opaque token, in which case you likely need to change the way you are getting the token from the authorization server, possibly by adding an audience parameter as Dan mention.

Hi Mark, thanks, let me investigate and come back with the results.

Thanks exactly what I was missing:

// Perform the login, after login Auth0 will redirect to callback
route.get('/login', passport.authenticate('auth0', {
    scope: 'openid profile user',
    audience: 'https://api.testing.com/v1'
}), function (req, res) { res.redirect('/'); });
route.get('/auth/callback', LoginController.loginCallback);
route.get('/logout', secured(), LoginController.logout);

Thank you Mark and Dan.

Glad you got a solution!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.