Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Unauthorized error: expected audience
See original GitHub issueI’m using express-jwt and jwks-rsa to authorize a Node API with Auth0. Everything has been working great, until I had to do a fresh npm install today. Then when my app tried to make an authorized API request, I received this error:
UnauthorizedError: jwt audience invalid. expected: http://localhost:3003/api/
at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/express-jwt/lib/index.js:102:22
at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/jsonwebtoken/verify.js:27:18
at _combinedTickCallback (internal/process/next_tick.js:67:7)
at process._tickCallback (internal/process/next_tick.js:98:9)
Nothing whatsoever has changed except the fresh npm install. The JWT audience is exactly what it should be.
Issue Analytics
- State:
- Created 6 years ago
- Comments:16
Top Results From Across the Web
UnauthorizedError: jwt audience invalid - Auth0 Community
it looks like the middleware is telling you the audience in the JWT does not match the audience it is expecting. Could you...
Read more >node.js - UnauthorizedError: jwt audience invalid. expected
I'm trying to use IdentityServer4 to protect my nodeAPI. export const jwtauth = jwt({ secret: jwksClient.expressJwtSecret({ cache: ...
Read more >verify token: oidc: expected audience - Henry Xie 's blog
Error : invalid bearer token, oidc: verify token: oidc: expected audience ... error: You must be logged in to the server (Unauthorized).
Read more >OAuth 2.0 Authorization Errors - Salesforce Help
Error Codes · Invalid authorization code. · Invalid user credentials. · Invalid user. · Invalid assertion. · Invalid audience. · IP restricted or...
Read more >Azure AD authentication & authorization error codes
Authentication failed due to flow token expired. Expected - auth codes, refresh tokens, and sessions expire over time or are revoked by the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I was able to fix this by changing
audiencetoaud, like so:Another user had previously discovered that they needed to do this and they left a comment in the Auth0 blog to that effect. This was a while back.
I’ve now confirmed that this is required to fix the unauthorized API access error in multiple repos.
Ideally, it should accept both
audienceandaud, because now there are users using both / either depending on what version of express-jwt they’re using, and whether or not they’ve run into this issue yet.UPDATE: This is not a fix, it’s a bypass. Please do not do this.
Came here and realized my ignorance of ID Token vs Access Token. This post helped clear things up for me:
https://community.auth0.com/t/what-is-the-difference-between-idtoken-accesstoken/10843