I have been trying to read twitch user subscription data using Auth0 - to no avail.
I found some information in their documentation, explaining how to add customs scopes to the authentication request.
I am importing the createAuth0Client function from "#auth0/auth0-spa-js" and calling the below
this.auth0Client = await createAuth0Client({
domain: options.domain,
client_id: options.clientId,
audience: options.audience,
redirect_uri: redirectUri,
scope: 'email profile user:read:subscriptions' // change the scopes that are applied to every authz request. **Note**: `openid` is always specified regardless of this setting
});
When I am redirected to twitch to authenticate, it is only requesting access to my email. Read subscriptions is never requested, and thus is not authorized.
Any guidance or example would be greatly appreciated.
Related
Recently google authorization api breaks and because of that other things affects like events on Calender.
We are using google_client_api for rails app and we have checked with other Client Id and Client Secret but still this fails to provide to authorization code in response and because of this everything. Is there anyone who can help me out with this. I
client = Signet::OAuth2::Client.new(client_options)
Client_options = {
client_id: Rails.application.secrets.google_client_id,
client_secret: Rails.application.secrets.google_client_secret,
authorization_uri: 'https://accounts.google.com/o/oauth2/auth',
token_credential_uri: 'https://accounts.google.com/o/oauth2/token',
scope: 'https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email',
redirect_uri: callback_url
}
Not getting authorization code in response any solution.
I am trying to secure NextJS API endpoints with keycloak. Keycloak authentication is already implemented on the front-end pages. The user is forced to sign in before they can view those pages. Two tokens are saved in the browser's cookies following keycloak authentication. They are kcToken and kcIdToken.
Those same pages call on api endpoints, which also need to be secured, in case someone is trying to access them outside of the application pages.
I am trying to use the two tokens (kcIdToken and kcToken) to secure the APIs endpoints. I am not trying to require authentication again at the api level, but directly fetch these two tokens from the browser when an api endpoint is called and verify the tokens to check authentication status, etc.
Is there a way of verifying these two tokens ? I checked the format of these two tokens and they are not exactly jwt tokens with headers, payload, etc.
I am able to get these two tokens. I am not sure though what are their differences and uses.
What are the differences and uses of kcToken and kcIdToken, obtained using the #react-keycloak/ssr authentication for keycloak ?
Here is my api endpoint function:
const handler = async (req, res) => {
// Fetching the tokens from the request cookies
const { kcToken, kcIdToken } = req.cookies
console.log(kcIdToken)
console.log(kcToken)
// If the tokens are undefined or non-existent in the browser
if ( !kcIdToken || !kcToken) {
return res.status(401).json({ success: false, message: "Unauthorized Access"})
}
// Verify kcToken and kcIdToken are valid
// Get user information, roles, etc, if the tokens are valid
return res.status(401).json({ success: false, message: "Unauthorized Access"})
}
How do I verify these two tokens validate the correct authentication state ? What are the uses and differences between these two tokens ? Are these tokens coming directly from keycloak or from #react-keycloak/ssr ?
Im using Auth0 for authenticating users for my react application.I have been trying to access resources on server side but I keep getting UnauthorizedError: jwt malformed as an Error.
I’ve followed a the following thread on the community forums: https://community.auth0.com/t/unauthorizederror-jwt-malformed-in-express-js/7352
Many users have suggested that the audience value from the guide is wrong. The audience given in the guide is https:///userinfo but it should be ‘https://.auth0.com/api/v2/’, I’ve made that change and the error is still there.
This has worked for some people but not for me.
This is the guide ive been following: https://auth0.com/blog/react-tutorial-building-and-securing-your-first-app/
const checkJwt = jwt({
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://<domain>/.well-known/jwks.json`
}),
// Validate the audience and the issuer.
audience: "https://<something>/api/v2/",
issuer: `https://<something>/`,
algorithms: ["RS256"]
});
this is the code ive written on the express side.
this.auth0 = new auth0.WebAuth({
// the following three lines MUST be updated
domain: "<Domain>",
audience: "https://<Something>/api/v2/",
clientID: "clientID",
redirectUri: "http://localhost:3000/callback",
responseType: "token",
scope: "openid"
});
This is the code written on the frontend of the application.
One of our senior engineers had a good recommendation on this that I will share below:
If you haven't done so already you should perform these steps:
capture the token you receive; for example, using a console.log statement given this is in development.
review the captured token; does it look like a JWT?
if its a JWT and you can parse it at jwt.io then update the API to log the received token before trying to validate it; does the received
token match the one you expect?
In conclusion, try to take steps that allow you to gather a bit more
of information.
I am using react-native-auth0 sdk. Here is how I use auth0 to do facebook login.
auth0
.webAuth
.authorize({
scope: 'openid profile email offline_access',
//audience: config.auth0.audience, //option (1)
audience: auth0Domain+'/userinfo', //option (2)
responseType: 'token id_token',
})
.then(auth0Cred => {
console.log("Auth0 Auth Result: "+JSON.stringify(auth0Cred));
dispatch(signInAuth0Successful(auth0Cred));
if (callback != null) {
callback(auth0Cred);
}
dispatch(saveAuth0RefreshToken(auth0Cred.refreshToken));
//return auth0Cred;
})
.catch(error => console.log(error));
For the audience there are two options for me.
When I use option (1), it gives me (the long version of) accessToken, idToken, scope, expiresIn, tokenType.
When I use option (2), it gives me (the opaque version of) accessToken, idToken, refreshToken, expiresIn, tokenType.
However, I need both the long accessToken and refreshToken at the same time? Is it possible?
Explanation - When you use an audience for your own API, you are opting in to receive a JWT Access Token (long token). If you only need to call the Auth0 /userInfo endpoint then the default behaviour is only to offer an opaque access token - this is expected behaviour (if somewhat confusing).
Out of interest, why would you require a JWT Access Token if you are not specifying your own audience?
However, to try and solve your request - please check if you have set your Client in the Auth0 Dashboard to OIDC Conformant. Under Clients -> Your Client -> Settings - Advanced (at bottom of page). Screen shot below:
If this doesn't work we can explore other options - so please leave a comment beneath if required.
With OIDC Conformance, you would not receive a Refresh Token for a SPA (implicit flow). Instead, use Silent Auth - see reference docs here, so make sure you do have your Client Type set to Native.
Based on OP feedback - Check that the Resource Server also has allow_offline_access enabled. Can patch this with Management API. Alternatively, just go to your API in the Auth0 Dashboard and toggle the switch on the API settings page.
I have an application that uses google's oauth system to authorize with youtube's api. The code for this is done on our server and we receive tokens without any problem. We'd like to move some of the api calls to the client using their javascript api.
Since we've already authorized the user with the correct scopes required for the youtube api (https://www.googleapis.com/auth/youtube) I assumed when I called authorize on the client it would know that my application was already authorized and allow auto login. Instead I receive a "immediate_failed" response. Does anyone know why? Thanks!
gapi.auth.authorize({
client_id: OAUTH2_CLIENT_ID,
scope: OAUTH2_SCOPES,
immediate: true
}, handleAuthResult);
If you have the token, you can just use setToken instead of going through OAuth2 again.