Comments (12)
Hello @Mazzzy please try this:
// Validate access_token
var jwtCheck = jwt({
secret: config.secret,
aud: config.audience,
issuer: config.issuer
});
Change audience
to aud
in the jwtCheck function as seen in the above piece of code. That should work!
from nodejs-jwt-authentication-sample.
Only worked for me with aud
instead of audience
and removing issuer
ʕノ•ᴥ•ʔノ ︵ ┻━┻
([email protected])
export default jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
}),
// documented as audience but only works as "aud"
aud: process.env.AUTH0_AUDIENCE,
// documented as required but only works without
// issuer: `https://${process.env.AUTH0_DOMAIN}`,
algorithms: ["RS256"]
});
from nodejs-jwt-authentication-sample.
@Mazzzy and @9swampy. This repo returns two tokens, an id_token
and an access_token
. The access_toke
n should be the token sent as an Authorization Header.
Also, did you specify the audience in the backend when you cloned this repo?
from nodejs-jwt-authentication-sample.
i think the audience is not checked correctly if it is set. ... if i set audience not at all then i also dont need to set aud so it's not aud that does the "fix".. it just works when audience is not set. ( "express": "^4.16.2", "express-jwt": "^5.3.0", "jwks-rsa": "^1.2.1")
jwtCheck = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: "https://xx.eu.auth0.com/.well-known/jwks.json"
}),
//audience: 'xx-xx-api',
issuer: "https://xx.eu.auth0.com/",
algorithms: ['RS256']
});
Internally seems to be used the client id.. because if you set audience to your client id then its the only way audience is not making that error.
from nodejs-jwt-authentication-sample.
Even, I am facing the same issue. :(
When I try to get protected quotes, it gives the error
UnauthorizedError: jwt audience invalid. expected: undefined
Can anyone please help on this?
from nodejs-jwt-authentication-sample.
What audience value do I need to specify in config.json of backend?
from nodejs-jwt-authentication-sample.
Any value of your choice can be your audience
in the config.json. Example:
So, when the access_token
is been signed, it takes it into consideration before signing.
function createAccessToken() {
return jwt.sign({
iss: config.issuer,
aud: config.audience,
exp: Math.floor(Date.now() / 1000) + (60 * 60),
scope: 'full_access',
sub: "lalaland|gonto",
jti: genJti(), // unique identifier for the token
alg: 'HS256'
}, config.secret);
}
It then goes ahead to validate the access_token
before given access to the protected random route.
// Validate access_token
var jwtCheck = jwt({
secret: config.secret,
audience: config.audience,
issuer: config.issuer
});
from nodejs-jwt-authentication-sample.
Same above values are there in code, but dont know whats wrong with it.
Do I need to configure something different?
from nodejs-jwt-authentication-sample.
You have an audience value in your config.json file? @Mazzzy
from nodejs-jwt-authentication-sample.
I'm struggling with the same issue for the past few hours.
I added as an actual audience in my express api the clientID, because the application token always get signed with the actual client Id.
Like this I'm imagining we can accept only 'calls' from our desired application, if we'd have many we'd get an error.
I guess it's good for something.
from nodejs-jwt-authentication-sample.
Thanks guys, was struggling with similar situation some hours ago...but reading through the comment lit me up.
from nodejs-jwt-authentication-sample.
Apparently you are not supposed to bypass audience by using aud in an SPA <> API authorization flow.
I found an amazing summary of how its supposed to be done in that comment. It works flawlessly on my end (Angular2 + Nodejs API).
from nodejs-jwt-authentication-sample.
Related Issues (15)
- package.json points to in-memory-todo repo
- Can't start server HOT 1
- The app fails with "Cannot GET / HOT 4
- Where do I actually see how the log in mechanism works
- where does the submission details get stored?
- random-quote occasionally returns empty string as a quote
- Return 401 when token is expired
- package.json contains references to 'in-memory-todo'
- UnauthorizedError: jwt issuer invalid. expected: undefined HOT 6
- How to exclude a route from jwt token verification HOT 1
- jwt issuer invalid. expected: https://login.microsoftonline.com/******/v2.0
- authentic endpoint
- Uses old JWT with known issue. HOT 1
- How to access the 'extra' information on the client side? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nodejs-jwt-authentication-sample.