How should my API verify this? about auth0-spa-js HOT 8 CLOSED

If you're not receiving a JWT as an access_token, then you're probably missing the step where you declare your custom audience: https://auth0.com/docs/quickstart/spa/angular2/02-calling-an-api#modify-the-authservice-class

from auth0-spa-js.

If your access_token is not a JWT, it means that you're not using a custom audience. Please check our guidance for calling an api here.

from auth0-spa-js.

Also, if you don't want to use a custom audience, you can send the access_token and then use https://github.com/auth0/node-auth0 to get the user information using the getProfile method.

from auth0-spa-js.

Created a new API, still get malformed error when supplying that API as the audience.

// AUTH0_AUDIENCE is the custom API I just created

const client = jwksClient({
  jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
});

const getKey = (header: any, callback: any) => {
  client.getSigningKey(header.kid, (_err: Error, key: jwksClient.SigningKey) => {
    const signingKey = (key as jwksClient.CertSigningKey).publicKey || (key as jwksClient.RsaSigningKey).rsaPublicKey
    callback(null, signingKey)
  })
}

const options = {
  audience: `${process.env.AUTH0_AUDIENCE}`,
  issuer: `https://${process.env.AUTH0_DOMAIN}/`,
  algorithms: ['RS256']
};

const apollo = new ApolloServer({
  modules: [graphQLRoot],

  context: (context: any) => {
    let token = context.req.headers.authorization;
    token = token ? token.replace('Bearer ', '') : null
    
    if (token) {
      const user = new Promise((resolve, reject) => {
        jwt.verify(token, getKey, options, (_err, decoded) => {
          console.log('err', _err)
          console.log('decoded', decoded)

          resolve(decoded);
        });
      });
  
      return {
        currentUser: user
      }
    } else {
      return {
        currentUser: undefined
      }
    }
  }
}

from auth0-spa-js.

I feel like the app on auth0 should know the API exists, but I don't see anywhere to tell it that?

from auth0-spa-js.

I was wondering the exact same thing -- does my API have to have some kind of /token endpoint or something? I thought Auth0 handled all of that? Here's our flow:

1. Angular app creates Auth0 client which, after login, does somewhere make a call to {domain}.auth0.com/oauth/token in which I see the token and id_token, but we can't actually get to it.
2. If I call the API with the token, I get a JWT malformed error.
3. If I call the API with the id_token, the audience is wrong.

What am I missing here?

from auth0-spa-js.

In order to get a JWT as the access_token, your request should have something in the audience param. So, the first request to /authorize will be something like https://yourtenant.auth0.com/authorize?client_id=YOUR_CLIENT&audience=YOUR_API.... (not necessarily in that order).

from auth0-spa-js.

@luisrudge also saw your other comment -- here's what I have for my service:

private config = {
    domain: AUTH0_AUTH_ISSUER,
    client_id: AUTH0_CLIENT_IDS.GLOBAL,
    redirect_uri: `${window.location.origin}/${AUTH0_REDIRECT_URI}`
  };

from auth0-spa-js.