Open 9swampy opened 7 years ago
Even, I am facing the same issue. :(
When I try to get protected quotes, it gives the error
UnauthorizedError: jwt audience invalid. expected: undefined
Can anyone please help on this?
@Mazzzy and @9swampy. This repo returns two tokens, an id_token
and an access_token
. The access_toke
n should be the token sent as an Authorization Header.
Also, did you specify the audience in the backend when you cloned this repo?
What audience value do I need to specify in config.json of backend?
Any value of your choice can be your audience
in the config.json. Example:
So, when the access_token
is been signed, it takes it into consideration before signing.
function createAccessToken() {
return jwt.sign({
iss: config.issuer,
aud: config.audience,
exp: Math.floor(Date.now() / 1000) + (60 * 60),
scope: 'full_access',
sub: "lalaland|gonto",
jti: genJti(), // unique identifier for the token
alg: 'HS256'
}, config.secret);
}
It then goes ahead to validate the access_token
before given access to the protected random route.
// Validate access_token
var jwtCheck = jwt({
secret: config.secret,
audience: config.audience,
issuer: config.issuer
});
Same above values are there in code, but dont know whats wrong with it. Do I need to configure something different?
You have an audience value in your config.json file? @Mazzzy
Hello @Mazzzy please try this:
// Validate access_token
var jwtCheck = jwt({
secret: config.secret,
aud: config.audience,
issuer: config.issuer
});
Change audience
to aud
in the jwtCheck function as seen in the above piece of code. That should work!
i think the audience is not checked correctly if it is set. ... if i set audience not at all then i also dont need to set aud so it's not aud that does the "fix".. it just works when audience is not set. ( "express": "^4.16.2", "express-jwt": "^5.3.0", "jwks-rsa": "^1.2.1")
jwtCheck = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: "https://xx.eu.auth0.com/.well-known/jwks.json"
}),
//audience: 'xx-xx-api',
issuer: "https://xx.eu.auth0.com/",
algorithms: ['RS256']
});
Internally seems to be used the client id.. because if you set audience to your client id then its the only way audience is not making that error.
I'm struggling with the same issue for the past few hours.
I added as an actual audience in my express api the clientID, because the application token always get signed with the actual client Id.
Like this I'm imagining we can accept only 'calls' from our desired application, if we'd have many we'd get an error.
I guess it's good for something.
Thanks guys, was struggling with similar situation some hours ago...but reading through the comment lit me up.
Only worked for me with aud
instead of audience
and removing issuer
ʕノ•ᴥ•ʔノ ︵ ┻━┻
(express-jwt@5.3.1)
export default jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
}),
// documented as audience but only works as "aud"
aud: process.env.AUTH0_AUDIENCE,
// documented as required but only works without
// issuer: `https://${process.env.AUTH0_DOMAIN}`,
algorithms: ["RS256"]
});
Apparently you are not supposed to bypass audience by using aud in an SPA <> API authorization flow. I found an amazing summary of how its supposed to be done in that comment. It works flawlessly on my end (Angular2 + Nodejs API).
Sorry, probably a PICNIC but I've converted https://github.com/connor11528/vuejs-auth-frontend to VueJS2 and it's wired up to an instance of this server; LogIn/SignUp/LogOut are all working and the server's creating, memorizing & returning an id_token back fine as long as the server instance is up. However when I call the protected random-quote I get a 401 response and the server logs
..in the console.
If I remove the authorization header the server logs the following in the console:
I'm certain I'm passing in the Authorization header in the "Bearer {jwt}" format correctly. What else am I missing?