Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access denied following instructions #136

Closed
wozzo opened this issue Oct 20, 2020 · 4 comments
Closed

Access denied following instructions #136

wozzo opened this issue Oct 20, 2020 · 4 comments

Comments

@wozzo
Copy link

wozzo commented Oct 20, 2020
edited
Loading

Describe the problem

We were previously using auth0-lock
Having followed the instructions on the Auth0 React SDK Quickstart when I attempt to login the redirects all happen then a POST to our auth0 domain /oauth/token endpoint returns a 401 with the following response.

{"error":"access_denied","error_description":"Unauthorized"}

In the Auth0 logs I can see the following rows, but no information as to what is missing

||Type || Description || Date↓ || Connection || Application↓ ||
| Success Login | Successful login | a few seconds ago | Username-Password-Authentication | MCO Admin App|
| Failed Exchange | Unauthorized | 10 minutes ago | N/A | N/A|

What was the expected behavior?

Token endpoint to return a token for use in the app

Reproduction

I tried this in a copy of the Sample code where the only changes made were to create an auth_config.json with the appropriate values

{
  "domain": "xxxxxx.eu.auth0.com",
  "clientId": "xxxxxxxxxxxxxxxxxxx"
}

and in the index.js commented out the line that set the audience in the Auth0Provider

    //audience={config.audience}

I have also had the same issue occur when providing a value for audience.

Environment

  • Version of auth0-react used: both 1.0.0 and 1.1.0
  • Chrome, Edge, Firefox
  • React
@stevehobbsdev
Copy link
Contributor

Hi @wozzo, could you please check that you're not being affected by this issue?

@wozzo
Copy link
Author

wozzo commented Oct 20, 2020

Yup. Looks like that was it, but now I get

Signature algorithm of "HS256" is not supported. Expected the ID token to be signed with "RS256".

How many other settings need specific values for it work? Is there a document describing the permissible settings?
I think updating this setting would be break our current system until we can roll out the new code.
Am I right in thinking the only way around this would be to create a new application?

@stevehobbsdev
Copy link
Contributor

Yes if you have apps tied to that Auth0 Application and rely on the HS256 signature algorithm mode, you will need to create a new application that is set to RS256.

The default settings should really work if you're setting up a new Auth0 app - are you using an application that was created quite a while ago, or using the Default App? The default for the signature algorithm for example should now be RS256 (this library does not support HS256 at all), and just make sure Token Endpoint Authentication Mode is set to 'None'.

Creating a new app would be best to get all the defaults, which should work out of the box. If you're able to try that, let me know how you get on.

@wozzo
Copy link
Author

wozzo commented Oct 22, 2020

Was able to get it to work with a new app. Thanks

@wozzo wozzo closed this as completed Oct 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevehobbsdev @wozzo