I'm walking through the tutorials for setting up auth0 as an API gateway authorizer for AWS listed here:
I am using the remended authorizer from here:
The only modification has been to the config files.
However, when testing the authorizer function, I get the following error:
{"name":"JsonWebTokenError","message":"jwt issuer invalid. expected: "}
Where MYSERVICE is the auth0 api I have set up. This is confusing, because I've gotten the jwt token through this method:
curl --request POST \
--url \
--header 'content-type: application/json' \
--data '{"client_id":"MY_ID","client_secret":"MY_SECRET","audience":"TestApi","grant_type":"client_credentials"}'
The resulting token can be loaded into the debugger tool at /, and it reports the iss field as
Is there a misconfiguration that might cause this issue?
I'm walking through the tutorials for setting up auth0 as an API gateway authorizer for AWS listed here: https://auth0./docs/integrations/aws-api-gateway/custom-authorizers
I am using the remended authorizer from here: https://github./auth0-samples/jwt-rsa-aws-custom-authorizer
The only modification has been to the config files.
However, when testing the authorizer function, I get the following error:
{"name":"JsonWebTokenError","message":"jwt issuer invalid. expected: https://MYSERVICE.auth0."}
Where MYSERVICE is the auth0 api I have set up. This is confusing, because I've gotten the jwt token through this method:
curl --request POST \
--url https://MYSERVICE.auth0./oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"MY_ID","client_secret":"MY_SECRET","audience":"TestApi","grant_type":"client_credentials"}'
The resulting token can be loaded into the debugger tool at https://jwt.io/, and it reports the iss field as https://MYSERVICE.auth0.
Is there a misconfiguration that might cause this issue?
Share Improve this question edited Mar 21, 2018 at 18:09 Dan Monego asked Mar 21, 2018 at 15:16 Dan MonegoDan Monego 10.1k6 gold badges40 silver badges78 bronze badges 4- Please can you take a screenshot of the jwt.io claims and attach to question. – arcseldon Commented Mar 21, 2018 at 17:00
- FYI only - recently went through the same steps and it all "just worked". – arcseldon Commented Mar 21, 2018 at 17:01
- @arcseldon screenshot attached – Dan Monego Commented Mar 22, 2018 at 14:34
- Ok so your JWT does have "/" on end of issuer. What about your custom authorizer in AWS API gateway? – arcseldon Commented Mar 23, 2018 at 1:00
2 Answers
Reset to default 14Went through the entire tutorial after reading your question, and this worked for me (had already done this recently).
Unclear, but from your error message reported in question, it looks like expected issuer does not have a trailing / on the end.
However, mine definitely DID have that. Here a screenshot from JWT.IO of a token that is working.
Can simply send that the API (using postman) and appending it as Authorization Bearer {{token}} header. using the tutorial's api (AWS petshop), receive the output:
[
{
"id": 1,
"type": "dog",
"price": 249.99
},
{
"id": 2,
"type": "cat",
"price": 124.99
},
{
"id": 3,
"type": "fish",
"price": 0.99
}
]
Be helpful to see your JWT token iss and aud (audience) values.
Little late to the party, but this is worked for my Blazor WASM ASP.Net Core 3.1 Web API project when I setup a custom domain and received the same error.
The fix for me was to set the TokenValidationParameters.ValidIssuer = [MY_CUSTOM_DOMAIN] in the Startup.cs class of my web service app.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = Configuration[“Auth0:Authority”];
options.Audience = Configuration[“Auth0:ApiIdentifier”];
options.TokenValidationParameters.ValidIssuer = Configuration[“Auth0:Issuer”];
});
}
Here is my appsettings.config for my server:
{
“AllowedHosts”: “*”,
“Auth0”: {
“Authority”: “[AUTH0_TENANT_DOMAIN]”, (i.e. https://prod-mydomain.us.auth0.)
“Issuer”: “[MY_CUSTOM_DOMAIN]”, (i.e. https://login.mycustomdomain/)
“ApiIdentifier”: “[MY_API_DOMAIN]” (i.e. https://example/api)
}
}
IMPORTANT! => I had to include a trailing “/” in the URL for my custom domain like this: https://login.mycustomdomain/". You can verify if you need a trailing “/” by looking at the ISS value found in the bearer token (@ jwt.io or jwt.ms) passed during the call to your web service.