UnauthorizedError: jwt audience invalid. expected: undefined about nodejs-jwt-authentication-sample HOT 12 OPEN

Hello @Mazzzy please try this:

// Validate access_token
var jwtCheck = jwt({
  secret: config.secret,
  aud: config.audience,
  issuer: config.issuer
});

Change audience to aud in the jwtCheck function as seen in the above piece of code. That should work!

from nodejs-jwt-authentication-sample.

Only worked for me with aud instead of audience and removing issuer ʕ⁠ノ⁠•ᴥ•ʔ⁠ノ ︵ ┻━┻
([email protected])

export default jwt({
  secret: jwks.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
  }),

  // documented as audience but only works as "aud"
  aud: process.env.AUTH0_AUDIENCE,

  // documented as required but only works without
  // issuer: `https://${process.env.AUTH0_DOMAIN}`,

  algorithms: ["RS256"]
});

from nodejs-jwt-authentication-sample.

@Mazzzy and @9swampy. This repo returns two tokens, an id_token and an access_token. The access_token should be the token sent as an Authorization Header.

Also, did you specify the audience in the backend when you cloned this repo?

from nodejs-jwt-authentication-sample.

i think the audience is not checked correctly if it is set. ... if i set audience not at all then i also dont need to set aud so it's not aud that does the "fix".. it just works when audience is not set. ( "express": "^4.16.2", "express-jwt": "^5.3.0", "jwks-rsa": "^1.2.1")

jwtCheck = jwt({
 secret: jwks.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 5,
    jwksUri: "https://xx.eu.auth0.com/.well-known/jwks.json"
  }),
  //audience: 'xx-xx-api',
  issuer: "https://xx.eu.auth0.com/",
  algorithms: ['RS256']
});

Internally seems to be used the client id.. because if you set audience to your client id then its the only way audience is not making that error.

from nodejs-jwt-authentication-sample.

Even, I am facing the same issue. :(

When I try to get protected quotes, it gives the error
UnauthorizedError: jwt audience invalid. expected: undefined

Can anyone please help on this?

from nodejs-jwt-authentication-sample.

What audience value do I need to specify in config.json of backend?

from nodejs-jwt-authentication-sample.

Any value of your choice can be your audience in the config.json. Example:

So, when the access_token is been signed, it takes it into consideration before signing.

function createAccessToken() {
  return jwt.sign({
    iss: config.issuer,
    aud: config.audience,
    exp: Math.floor(Date.now() / 1000) + (60 * 60),
    scope: 'full_access',
    sub: "lalaland|gonto",
    jti: genJti(), // unique identifier for the token
    alg: 'HS256'
  }, config.secret);
}

It then goes ahead to validate the access_token before given access to the protected random route.

// Validate access_token
var jwtCheck = jwt({
  secret: config.secret,
  audience: config.audience,
  issuer: config.issuer
});

from nodejs-jwt-authentication-sample.

Same above values are there in code, but dont know whats wrong with it.
Do I need to configure something different?

from nodejs-jwt-authentication-sample.

You have an audience value in your config.json file? @Mazzzy

from nodejs-jwt-authentication-sample.

I'm struggling with the same issue for the past few hours.

I added as an actual audience in my express api the clientID, because the application token always get signed with the actual client Id.

Like this I'm imagining we can accept only 'calls' from our desired application, if we'd have many we'd get an error.

I guess it's good for something.

from nodejs-jwt-authentication-sample.

Thanks guys, was struggling with similar situation some hours ago...but reading through the comment lit me up.

from nodejs-jwt-authentication-sample.

Apparently you are not supposed to bypass audience by using aud in an SPA <> API authorization flow.
I found an amazing summary of how its supposed to be done in that comment. It works flawlessly on my end (Angular2 + Nodejs API).

from nodejs-jwt-authentication-sample.