BadRequestError: access_denied (Unauthorized) from clean Tenant

[AThilenius]

👋 Hi all. I'm almost positive this is user error, but I'm driving myself a little crazy playing spot-the-mistake. Hoping someone can offer some guidance.

Description

I consistently get BadRequestError: access_denied (Unauthorized) for my localhost test /api/auth/callback route, on a totally clean tenant with a Standard Web App and minimal changes to the example in this repo. I've tried going through the other suggestions online to no effect. If anyone can spot the flaw in my repro case, I would be immensely grateful!

Reproduction

• Create a new US tenant, create a user
• Create a new "Regular Web Applications" app
  • Add http://localhost:3000/api/auth/callback to the Allowed Callback URLs
  • Add http://localhost:3000/ to the Allowed Logout URLs
  • Save
• Clone this repo, cd examples/basic-example
• Edit package.json and replace the deps with:

  "dependencies": {
  "@auth0/nextjs-auth0": "^1.7.0",
  "next": "^12.1.5",
  "react": "^18.0.0",
  "react-dom": "^18.0.0"
  },
  "devDependencies": {
  "@types/react": "^18.0.7",
  "typescript": "^4.6.3"
  }

• In .env.local
  • Use output of node -e "console.log(crypto.randomBytes(32).toString('hex'))" to populate AUTH0_SECRET
  • Copy Domain from app, prepend https:// to it for AUTH0_ISSUER_BASE_URL
  • Copy-paste Client ID and Client Secret Mine looks like this:

    AUTH0_SECRET='<REDACTED>'
    AUTH0_BASE_URL='http://localhost:3000'
    AUTH0_ISSUER_BASE_URL='https://thilenius-next-test-01.us.auth0.com'
    AUTH0_CLIENT_ID='ZjfJnYu3hzuDZAGpQkXHhrnaYAoC3SsY'
    AUTH0_CLIENT_SECRET='<REDACTED>'

• yarn && yarn dev
• Point a browser to localhost:3000 and try to login. All goes well, it asks for third party verification because this is localhost, then the error.

Environment

Node 14.18.2 Windows 11, WSL2 Ubuntu Chrome, Firefox and Edge.

[adamjmcgrath]

Hi @AThilenius - thanks for raising this

I can't see anything wrong with the code you've shared, or how you've configured your tenant.

Could you share a repo of this app and I'll try running it against my tenant to debug.

Alternatively, BadRequestError: access_denied (Unauthorized) shows the code exchange is failing (which I can confirm from your logs). You could try stepping through where openid-client makes the /oauth/token request and inspecting the payload (around here https://github.com/panva/node-openid-client/blob/main/lib/client.js#L1336) - it should look like this: https://auth0.com/docs/get-started/authentication-and-authorization-flow/add-login-auth-code-flow#post-to-token-url-example

[AThilenius]

@adamjmcgrath You're a gentleman and a scholar! I couldn't for the life of me figure out how to attach a debugger to the node-openid-client code 🤦‍♂️ so I made a minimalistic reproduction case instead: https://github.com/AThilenius/auth0-next-error-repro It's a throw-away tenant, so I committed secrets in there as well. I also detailed every step I took start to finish.

Again, thank you for the help!

[adamjmcgrath]

Hi @AThilenius - thanks for sharing that

I was able to login to your tenant successfully (see log id 90020220427140957004924896824767482335548639821059588098 in thilenius-next-test-02@us) using that repo.

It must be something local to your environment - are you able to try it on another machine? You could also try nuking your node_modules/package_lock.json and reinstalling

[adamjmcgrath]

AUTH0_BASE_URL='http://localhost:3000'

Also, try using double quotes instead of single quotes in your env file. I'm not sure, but windows might be turning them into "'http://localhost:3000'"

[AThilenius]

Interesting. I'm at a bit of a loss here.

I tried on OSX (node 14/17) with the same results. Then I deployed it to Heroku and it worked just fine. https://nextjs-auth0-issue-repro.herokuapp.com/

Started testing combinatorics... I tried yarn build and yarn start to see if it was a dev-build issue. Nope. I tried ngrok to see if https would help, no joy. Finally I tired Win (WSL2, so Linux/Ubuntu) on my mac, which I never use and that worked just fine 🤦‍♂️ Back on my desktop I tried a different port, I tried binding 0.0.0.0 and using 127.0.0.1, I tried going to chrome://settings/siteData on Chrome and nuking data, I tried every browser I have installed. I think there is something, somewhere, cached in all my browsers from Auth0 development over the last year that is causing this. But I can't for the life of me figure out what lol.

Edit: Actually the fact that proxying with ngrok was the same result disagrees with my hypothesis. That was a unique domain name as far as my browser knows.

[AThilenius]

Ha ha ha. As is always the case with these types of tickets, I now get to tell you the super embarrassing reason for the issue... I had a different AUTH0_CLIENT_SECRET being set in my zshrc that I forgot about 🤦‍♂️

I realized something with my env was screwed up when I launched it in Docker and it worked just fine.

Huge thank you for your time @adamjmcgrath, I super appreciate it.

[adamjmcgrath]

No worries @AThilenius - thank you for sharing! 😄