Home > Net >  Auth0: Invalid access token payload, JWT encrypted with A256GCM algorithm
Auth0: Invalid access token payload, JWT encrypted with A256GCM algorithm

Time:02-10

I'm trying to set up a Vue3 SPA with a NestJS API in the back. I set up my Auth0 tenant and client to integrate with the SPA and plan to send the resulting JWTs to my API. In my SPA, I use the vue-auth0-plugin, which uses @auth0/auth0-spa-js under the hood.

I have successfully set up the Auth Code with PKCE flow, up to the point where I receive id, access and refresh tokens. However, something is wrong with the access token and I cannot understand why it is happening. The payload is invalid JSON and the token contains 2 consecutive .. When I paste the token into jwt.io, the header is decoded as follows:

{
  "alg": "dir",
  "enc": "A256GCM",
  "iss": "https://xyz.auth0.com/"
}

I would be expecting:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "w1-e..."
}

I have not enabled JWT encryption as far as I know (I used the wizard to set up the SPA client), could anyone point out to me what I am missing? For the sake of completeness, this is the format of my auth request:

https://xyz.auth0.com/authorize
    ?client_id=REq...
    &redirect_uri=http://localhost:1337
    &scope=openid profile email
    &response_type=code
    &response_mode=query
    &state=a2...
    &nonce=bT...
    &code_challenge=GjSw...
    &code_challenge_method=S256
    &auth0Client=eyJu...

Many thanks in advance.

CodePudding user response:

As Gary said, the token is in JWE format. According to this Auth0 community post, the solution to the missing payload is to provide an audience parameter. You should be able to include that parameter in the query string to the /authorize endpoint.

  • Related