Auth0 right way to call userinfo

Question

I have created an API with RS256 signing algorithm and http://localhost:3000/api/v1 as the Identifier (audience) and I added openid, phone, profile as the scopes to the created API

Then created an application to invoke the above API, with RS256 signing and turned off OIDC Conformant since I'm using a customized login page.

I was able to invoke the following authorize request successfully :

https://hostname.auth0.com/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost:4200/dashboard&response_type=code&scope=openid%20profile&state=state&nonce=nonce&audience=https://hostname.auth0.com/userinfo

After getting the code I was able to execute the token call and received the access_token

curl --request POST \ --url https://hostname.auth0.com/oauth/token \ --header 'content-type: application/json' \ --data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"localhost:3000/api/v1","grant_type":"client_credentials","code": "CODE"}'

But after decoding the JWT token I couldn't see the userinfo endpoint in audience field

So I'm getting unauthorized error in executing the following userinfo call, but I was able to call my other API (secured resources) using the given access token without any issue.

 curl --request GET \
 --url 'https://hostname.auth0.com/userinfo' \
 --header 'authorization: Bearer {ACCESS_TOKEN}' \
 --header 'content-type: application/json'

Unauthorized

-Then I tried to invoke the token endpoint using userinfo url as the audience value:

 curl --request POST \
 --url https://hostname.auth0.com/oauth/token \
 --header 'content-type: application/json' \
 --data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"https://hostname.auth0.com/userinfo","grant_type":"client_credentials","code": "CODE"}'

Then I'm getting the following error:

 {"error":"access_denied","error_description":"Client is not authorized to access \"https://hostname.auth0.com/userinfo\". You might probably want to create a \"client-grant\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants"}

When I tried to add userinfo url as an additional Identifier (audience) when creating an API, I'm getting an error saying 'provided identifier is reserved'

Please let me know what I'm doing wrong here. Looking forward to your reply.

Thanks.

Answer 1

I see multiple issues in what you are doing.

If you are looking to get an access token for your API as well, you should specify that API's identifier as the audience in the initial /authorize call. /userinfo audience is assumed, so you don't need to specifically mention it. For example, if your API identifier is https://api.example.com :

https://hostname.auth0.com/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost:4200/dashboard&response_type=code&scope=openid%20profile&state=state&nonce=nonce&audience=https://api.example.com

You may also want to specify some of the scopes defined in the API in the above call (apart from openid and profile ).

When you exchange the code to tokens, the grant_type should be authorization_code (not client_credentials ). Also, you don't need to specify the audience again during this code exchange. But make sure you specify the redirect_uri that you sent in initial /authorize request here as well. This is required to prevent some attack vectors.

Changing the API calls based on the above points should send you back the correct access token - which can be used to both call your API and the /userinfo endpoint.

More info about this flow can be found in the docs: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant