I have created an API with RS256 signing algorithm and http://localhost:3000/api/v1 as the Identifier (audience) and I added openid, phone, profile as the scopes to the created API
Then created an application to invoke the above API, with RS256 signing and turned off OIDC Conformant since I'm using a customized login page.
I was able to invoke the following authorize request successfully :
https://hostname.auth0.com/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost:4200/dashboard&response_type=code&scope=openid%20profile&state=state&nonce=nonce&audience=https://hostname.auth0.com/userinfo
After getting the code I was able to execute the token call and received the access_token
curl --request POST \ --url https://hostname.auth0.com/oauth/token \ --header 'content-type: application/json' \ --data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"localhost:3000/api/v1","grant_type":"client_credentials","code": "CODE"}'
But after decoding the JWT token I couldn't see the userinfo endpoint in audience field
So I'm getting unauthorized error in executing the following userinfo call, but I was able to call my other API (secured resources) using the given access token without any issue.
curl --request GET \
--url 'https://hostname.auth0.com/userinfo' \
--header 'authorization: Bearer {ACCESS_TOKEN}' \
--header 'content-type: application/json'
Unauthorized
-Then I tried to invoke the token endpoint using userinfo url as the audience value:
curl --request POST \
--url https://hostname.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"CLIENT_ID","client_secret":"CLIENT_SECRET","audience":"https://hostname.auth0.com/userinfo","grant_type":"client_credentials","code": "CODE"}'
Then I'm getting the following error:
{"error":"access_denied","error_description":"Client is not authorized to access \"https://hostname.auth0.com/userinfo\". You might probably want to create a \"client-grant\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants"}
When I tried to add userinfo url as an additional Identifier (audience) when creating an API, I'm getting an error saying 'provided identifier is reserved'
Please let me know what I'm doing wrong here. Looking forward to your reply.
Thanks.
I see multiple issues in what you are doing.
If you are looking to get an access token for your API as well, you should specify that API's identifier as the audience
in the initial /authorize
call. /userinfo
audience is assumed, so you don't need to specifically mention it. For example, if your API identifier is https://api.example.com
:
https://hostname.auth0.com/authorize?client_id=CLIENT_ID&redirect_uri=http://localhost:4200/dashboard&response_type=code&scope=openid%20profile&state=state&nonce=nonce&audience=https://api.example.com
You may also want to specify some of the scopes defined in the API in the above call (apart from openid
and profile
).
When you exchange the code to tokens, the grant_type should be authorization_code
(not client_credentials
). Also, you don't need to specify the audience again during this code exchange. But make sure you specify the redirect_uri
that you sent in initial /authorize
request here as well. This is required to prevent some attack vectors.
Changing the API calls based on the above points should send you back the correct access token - which can be used to both call your API and the /userinfo
endpoint.
More info about this flow can be found in the docs: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant