Why authorization header not included in request ? - Auth0

I have been struggling with this problem for two weeks, Basically I have configured the auth0 settings with my Flask app which runs on local host.

So, I have the following two endpoints in my flask app:

  • A public endpoint which requires no authentication process:
@cross_origin(headers=["Content-Type", "Authorization"])
def public():
    # No access token required to access this route
    response = "Hello from a public endpoint! You don't need to be authenticated to see this."
    return jsonify(message=response)
  • A private endpoint which requires authentication:
@cross_origin(headers=["Content-Type", "Authorization"])
@cross_origin(headers=["Access-Control-Allow-Origin", "http://localhost:3000"])
def private():
    # A valid access token is required to access this route
    response = "Hello from a private endpoint! You need to be authenticated to see this."
    return jsonify(message=response)

So here is the following scenario:

  • I try to log in with the auth0 url that redirects me to universal login page for my app. After successful login, it redirects me to the private end point and I get 401 Un-authorized error.

Whenever I make this request with valid token from the browser it throws 401 error. With the same token, I call this endpoint using postman it works !!

The reason for that is this request from the browser is not including the Authorization header, unlike postman.

I really don’t understand why the browser is not including the Authorization header.

Can someone explains ?

NOTE: At first it was working using browser without any problems but suddenly it appeared somehow.

Since the private endpoint requires authentication, whenever I try to access the private end point this function is called:

def get_token_auth_header():
    """Obtains the access token from the Authorization Header
    auth = request.headers.get("Authorization", None) # HERE IS THE PROBLEM OCCURRS
    print("REQUEST HEADERS: \n", request.headers)
    if not auth:
        raise AuthError({"code": "authorization_header_missing",
                            "Authorization header is expected"}, 401)

    parts = auth.split()

    if parts[0].lower() != "bearer":
        raise AuthError({"code": "invalid_header",
                            "Authorization header must start with"
                            " Bearer"}, 401)
    elif len(parts) == 1:
        raise AuthError({"code": "invalid_header",
                        "description": "Token not found"}, 401)
    elif len(parts) > 2:
        raise AuthError({"code": "invalid_header",
                            "Authorization header must be"
                            " Bearer token"}, 401)

    token = parts[1]
    return token

I have been struggling with this for almost two weeks, I tried everything.

I would really appreciate your help.

Hi @faisalbahli

For webapps you’ll need to add the configuration for the authlib, so that you can authorize the redirects the browser does.

Here’s a link on how to do that and the further steps you’ll need:

Let me know how it goes :wink:

1 Like

Hey, thank you for your effort. I implemented it and it works.
I wanted to ask you if there is any way to provide the authorization header to the server from the dashboard settings ? Because if there is, it will be much simpler and without any additional libraries.

Thanks again.

Unfortunately there isn’t

1 Like

Thanks for responding Konrad!

No worries! We’re here for you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.