express-jwt icon indicating copy to clipboard operation
express-jwt copied to clipboard

Published 20 hours ago verified publisher icon auth0

Unauthorized error: expected audience

Open kmaida opened this issue 7 years ago • 16 comments

I'm using express-jwt and jwks-rsa to authorize a Node API with Auth0. Everything has been working great, until I had to do a fresh npm install today. Then when my app tried to make an authorized API request, I received this error:

UnauthorizedError: jwt audience invalid. expected: http://localhost:3003/api/
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/express-jwt/lib/index.js:102:22
    at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/jsonwebtoken/verify.js:27:18
    at _combinedTickCallback (internal/process/next_tick.js:67:7)
    at process._tickCallback (internal/process/next_tick.js:98:9)

Nothing whatsoever has changed except the fresh npm install. The JWT audience is exactly what it should be.

kmaida avatar Jun 02 '17 17:06 kmaida

I was able to fix this by changing audience to aud, like so:

const jwtCheck = jwt({
    secret: ...,
    aud: config.AUTH0_API_AUDIENCE,
    issuer: `https://${config.AUTH0_DOMAIN}/`,
    algorithms: ['RS256']
  });

Another user had previously discovered that they needed to do this and they left a comment in the Auth0 blog to that effect. This was a while back.

I've now confirmed that this is required to fix the unauthorized API access error in multiple repos.

Ideally, it should accept both audience and aud, because now there are users using both / either depending on what version of express-jwt they're using, and whether or not they've run into this issue yet.

UPDATE: This is not a fix, it's a bypass. Please do not do this.

kmaida avatar Jun 02 '17 18:06 kmaida

aud fixed for me, version below:

"express": "^4.14.0",
"express-jwt": "^5.1.0",
"express-jwt-authz": "^1.0.0",

theblindprophet avatar Jun 07 '17 17:06 theblindprophet

Same issue here, from what looks of it this is checking aud for audience and iss for issuer.

OmgImAlexis avatar Jul 01 '17 14:07 OmgImAlexis

I created a quick express sample project using the latest versions of this package and the jsonwebtoken package and I'm having trouble reproducing this issue.

@kmaida I started to test with your mean-rsvp-auth0 repo but ran into some unrelated problems and would like to reduce the amount of variables while debugging.

If any of you could provide a simple sample project that reproduces this behavior that would be awesome. Once I can easily reproduce the bug, I'll be able to verify a fix for the problem and submit a PR. That way it will accept both audience and aud and we can avoid future problems.

Thanks.

mitchellporter avatar Jul 08 '17 17:07 mitchellporter

This does seem to be working with audience now. aud does not actually check the audience, so it would always pass. However, I've now used audience in several repos with success.

It should be noted that fresh npm installs were run recently.

kmaida avatar Sep 19 '17 20:09 kmaida

@kmaida , I am experiencing this issue, it works if I change audience to aud. But if it does not check aud then this does not seem like an acceptable fix.

strizzwald avatar Oct 10 '17 16:10 strizzwald

@carnag3kid7 Correct, changing it to aud is not an acceptable fix. I have not run into this issue anymore recently. Are you experiencing this with a fresh npm install?

kmaida avatar Oct 10 '17 19:10 kmaida

So for me the issue was not because of a fresh npm install. But I noticed something interesting. When I use a test token generated from the test tab under APIs I do not experience any problems. However, when I create a user with the Management API and then use his/her credentials to get a token, the token causes the error jwt audience invalid. expected: ... I don't know much about oauth, but to me it seems like there is a difference in the way the two tokens are signed.

strizzwald avatar Oct 10 '17 19:10 strizzwald

Copying straight from the example generated by the quickstart, I got the "jwt audience invalid". I had to change "audience" to "aud" too to get it working.

+-- [email protected] +-- [email protected] +-- [email protected]

RedShift1 avatar Jan 15 '18 10:01 RedShift1

Thank you so much @RedShift1 that worked for me 🙌

bogini avatar Feb 11 '18 04:02 bogini

I was having this problem earlier, but later I found out my AUDIENCE didn't have the trailing / as in https://mydomain.auth0.com/api/v2/. That fixed my problem.

flexlee avatar Feb 23 '18 20:02 flexlee

im facing the same issue as @strizzwald mentioned , is there a current solution ?

idhard avatar May 26 '18 11:05 idhard

i always got the error when decoding the ID_TOKEN instead of access_token so i found out that the audience set in the ID_TOKEN is no the same than the one set on the access_token : https://github.com/auth0/auth0.js/issues/473#issuecomment-316982867

idhard avatar May 26 '18 13:05 idhard

Was experiencing this. Was my failure of using my id_token rather than my authorizationToken.

alukach avatar Sep 21 '18 20:09 alukach

Came here and realized my ignorance of ID Token vs Access Token. This post helped clear things up for me:

https://community.auth0.com/t/what-is-the-difference-between-idtoken-accesstoken/10843

nikosolihin avatar Mar 20 '19 08:03 nikosolihin

A great summary of how things are supposed to work can be found in this comment

Standaa avatar Mar 28 '19 18:03 Standaa