Unauthorized error: expected audience

[kmaida]

I'm using express-jwt and jwks-rsa to authorize a Node API with Auth0. Everything has been working great, until I had to do a fresh npm install today. Then when my app tried to make an authorized API request, I received this error:

UnauthorizedError: jwt audience invalid. expected: http://localhost:3003/api/
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/express-jwt/lib/index.js:102:22
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/jsonwebtoken/verify.js:27:18
    at _combinedTickCallback (internal/process/next_tick.js:67:7)
    at process._tickCallback (internal/process/next_tick.js:98:9)

Nothing whatsoever has changed except the fresh npm install. The JWT audience is exactly what it should be.

[kmaida]

I was able to fix this by changing audience to aud, like so:

const jwtCheck = jwt({
    secret: ...,
    aud: config.AUTH0_API_AUDIENCE,
    issuer: `https://${config.AUTH0_DOMAIN}/`,
    algorithms: ['RS256']
  });

Another user had previously discovered that they needed to do this and they left a comment in the Auth0 blog to that effect. This was a while back.

I've now confirmed that this is required to fix the unauthorized API access error in multiple repos.

Ideally, it should accept both audience and aud, because now there are users using both / either depending on what version of express-jwt they're using, and whether or not they've run into this issue yet.

UPDATE: This is not a fix, it's a bypass. Please do not do this.

[theblindprophet]

aud fixed for me, version below:

"express": "^4.14.0",
"express-jwt": "^5.1.0",
"express-jwt-authz": "^1.0.0",

[OmgImAlexis]

Same issue here, from what looks of it this is checking aud for audience and iss for issuer.

[mitchellporter]

I created a quick express sample project using the latest versions of this package and the jsonwebtoken package and I'm having trouble reproducing this issue.

@kmaida I started to test with your mean-rsvp-auth0 repo but ran into some unrelated problems and would like to reduce the amount of variables while debugging.

If any of you could provide a simple sample project that reproduces this behavior that would be awesome. Once I can easily reproduce the bug, I'll be able to verify a fix for the problem and submit a PR. That way it will accept both audience and aud and we can avoid future problems.

Thanks.

[kmaida]

This does seem to be working with audience now. aud does not actually check the audience, so it would always pass. However, I've now used audience in several repos with success.

It should be noted that fresh npm installs were run recently.

[strizzwald]

@kmaida , I am experiencing this issue, it works if I change audience to aud. But if it does not check aud then this does not seem like an acceptable fix.

[kmaida]

@carnag3kid7 Correct, changing it to aud is not an acceptable fix. I have not run into this issue anymore recently. Are you experiencing this with a fresh npm install?

[strizzwald]

So for me the issue was not because of a fresh npm install. But I noticed something interesting. When I use a test token generated from the test tab under APIs I do not experience any problems. However, when I create a user with the Management API and then use his/her credentials to get a token, the token causes the error jwt audience invalid. expected: ... I don't know much about oauth, but to me it seems like there is a difference in the way the two tokens are signed.

[RedShift1]

Copying straight from the example generated by the quickstart, I got the "jwt audience invalid". I had to change "audience" to "aud" too to get it working.

+-- express@4.16.2 +-- express-jwt@5.3.0 +-- jwks-rsa@1.2.1

[bogini]

Thank you so much @RedShift1 that worked for me 🙌

[flexlee]

I was having this problem earlier, but later I found out my AUDIENCE didn't have the trailing / as in https://mydomain.auth0.com/api/v2/. That fixed my problem.

[idhard]

im facing the same issue as @strizzwald mentioned , is there a current solution ?

[idhard]

i always got the error when decoding the ID_TOKEN instead of access_token so i found out that the audience set in the ID_TOKEN is no the same than the one set on the access_token : https://github.com/auth0/auth0.js/issues/473#issuecomment-316982867

[alukach]

Was experiencing this. Was my failure of using my id_token rather than my authorizationToken.

[nikosolihin]

Came here and realized my ignorance of ID Token vs Access Token. This post helped clear things up for me:

https://community.auth0.com/t/what-is-the-difference-between-idtoken-accesstoken/10843

[Standaa]

A great summary of how things are supposed to work can be found in this comment