I'm trying to migrate my app from auth0 to auth0-spa.js. I've been able to get it almost working, and the code is definitely simpler with this new lib so I'd like to keep using it but I also need a valid jwt token for the backend.
I use the following middleware on my node server (express-jwt)
export const jwtCheckMiddleware = jwt({
secret: '....',
getToken: function (req) {
if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') {
return req.headers.authorization.split(' ')[1];
}
},
issuer: `https://${environment.auth.auth0Domain}/`,
algorithm: 'RS256'
});
Previous I would pass the idToken from auth0 and it worked. Now I get a token via await auth0.getTokenSilently(), however passing that to the middleware gives me "jwt malformed".
How can I get a valid JWT token from auth0-spa.js? Also, how would I ensure that the token I'm passing to the middlware is never expired?
Ok so I was able to get auth-spa.js to give me a jwt token by registering a custom API with Auth0 and then passing the API identifier as the audience.
More info here: https://auth0.com/docs/getting-started/set-up-api
const auth0 = createAuth0Client({
audience: environment.auth.audience, <-----API identifier of custom API in Auth0
client_id: environment.auth.clientId,
domain: environment.auth.clientDomain
});
After adding the audience getTokenSilently() gives me a JWT token which I pass to node. Then I had to add the audience in my jwt middleware:
export const jwtCheckMiddleware = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://${environment.auth.auth0Domain}/.well-known/jwks.json`
}),
audience: environment.auth.auth0ApiAudience, <!--- API identifier
issuer: `https://${environment.auth.auth0Domain}/`,
algorithms: ['RS256']
});
Related
I have a react native app authenticated with Auth0.
I have an API that uses react native.
When a user signs in, i take the accessToken that is given for that user, and I make request to the API with the accessToken set as the authorization header.
I do so like this:
const requestHeader = {
headers: {
Authorization: `Bearer ${accessToken}`,
}
}
axios.post(API_BASE + '/api/example/', requestHeader)
The accessToken is something short like this: aBQdd0kOvb1pNj-9XDj_C6bKWkMg9D_q
When I try to validate the request with the API, I get this error:
UnauthorizedError: jwt malformed
I know i'm getting this error because the access token isn't a JWT.
I'm validating in the API like this:
exports.checkJwt = jwt({
secret: jwksRsa.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: 'https://dev-0p1doq9r.auth0.com/.well-known/jwks.json'
}),
audience: 'ddasdsfasdfasd',
issuer: 'safsdfasdfasdfafsdf',
algorithms: ['RS256']
});
I know that accessToken needs to be transformed into a JWT on the client, BUT HOW? I have not found any documentation for this; I have also not found what other properties need to be included in the JWT for validation.
I am trying to connect Spartacus 3.2 with Auth0. With below config I am able to successful login from Auth0
provideConfig(<AuthConfig>{authentication: {
OAuthLibConfig: {
responseType: 'token',
redirectUri: redirectURL,
},
baseUrl: 'https://DomainName',
client_id: 'clientID',
loginUrl: '/authorize',
}})
Issue is:
How to pass accesstoken bearer token (Authorization) and idtoken in headers that is from Auth0? in every page call.
Can I please know how to solve this?
I am using react-native-app-auth library and passing in grant type: authorization code with PKCE and client credentials
const config = {
issuer: "***",
clientId: "***",
clientSecret: '***',
redirectUrl: '***:/oauthredirect',
additionalParameters: {},
scopes: ['***']
}
const newAuthState = await authorize(config);
Able to enter credentials and redirect to react native app but getting error of client_id and client_secret is missing or has an incorrect value
client_id, client_secret and scope are correct. And scope, redirectUrl are registered on server.
https://github.com/FormidableLabs/react-native-app-auth
clientAuthMethod - (string) ANDROID Client Authentication Method. Can be either basic (default) for Basic Authentication or post for HTTP POST body Authentication
passing clientAuthMethod as post worked for me.
I created an app with Vue (including Vue-Router), Node and Express.
I'm trying to secure my App with SSO, using auth0-js.
I created an Auth0-Account and followed this tutorial.
My Login function looks as follows:
import auth0 from 'auth0-js'
var auth = new auth0.WebAuth({
clientID: <my-client-id>,
domain: '<my-auth0-domain>/'
})
export function ssoLogin () {
auth.authorize({
responseType: 'token id_token'
redirectUri: http://localhost:8000/callback,
audience: 'https://<my-auth0-domain>/userinfo',
scope: 'full_access'
})
}
While the login itself works fine, I can't seem to find out how to secure the secret routes of my app.
Following the above mentioned tutorial, I used express-jwt and jwks-rsa, like this:
var jwt = require('express-jwt')
var jwks = require('jwks-rsa')
var authCheck = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: "https://<my-auth0-domain>/.well-known/jwks.json"
}),
audience: <my-client-id>,
issuer: "https://<my-auth0-domain>/",
algorithms: ['RS256']
})
app.post('/send-sensitive-data', authCheck, function (req, res) {
// this post requests sends some data, and should only do so, if a user is logged in
})
However, even if I'm logged in via SSO, when I try to access the sensitive data, I obtain
UnauthorizedError: No authorization token was found
I have no idea where I went wrong. This seems like a very stupid question, but: Can somebody tell me, where the authorization token must be, so it will be found?
I would really appreciate if someone helped me by this or gave me a hint.
Please feel free to ask for more code snippets, if that might help.
Okay, I found the answer on my own ... but in case anyone is making the same mistake as I'm doing: I forgot to set the header in the axios.post request, like that:
axios({
method: 'post',
url: '/send-sensitive-data',
data: somedata,
headers: {
Authorization: 'Bearer ' + getAccessToken()
}
})
.then(response => {
// do something with the response
})
I am building a cordova mobile app and trying to use the auth0 lock API. I am having trouble with the refresh token. I can retreive the refresh token in the authResult but cannot figure out how to actually refresh the id_token ( I suppose i could write the REST calsl myself )
In the v9 docs, it seems there used to be a method: https://auth0.com/docs/libraries/lock/v9/using-a-refresh-token
lock.getClient().refreshToken(refresh_token, function (err, delegationResult) {
// Get here the new JWT via delegationResult.id_token
});
However in lock v10 it seems this method doesn't exist any more: https://auth0.com/docs/libraries/lock/v10/api
Can anyone advise if there is a way to refresh the token using the lock API?
First, you need to either have included Auth0's script tag in your HTML:
<script src="https://cdn.auth0.com/js/lock/10.8/lock.min.js"></script>
Or, if you've installed from npm, you can require Auth0:
var Auth0 = require("auth0-js");
In V10, you create an instance of the Auth0 client (separate from the Auth0Lock instance) which has a function refreshToken():
var auth0 = new Auth0({clientID: YOUR_CLIENT_ID, domain: YOUR_AUTH0_DOMAIN});
...
auth0.refreshToken(refresh_token_here, (err, resp) => {
// resp: {expires_in: 36000, id_token: "id_token here", token_type: "Bearer"}
}
The same can also be achieved by using the getDelegationToken() function:
auth0.getDelegationToken({
client_id: YOUR_CLIENT_ID,
grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
refresh_token: refresh_token_here,
scope: "openid",
api_type: "auth0"
}, (err, resp) => {
// resp: {expires_in: 36000, id_token: "id_token here", token_type: "Bearer"}
});