express-jwt: Unauthorized error: expected audience
I’m using express-jwt and jwks-rsa to authorize a Node API with Auth0. Everything has been working great, until I had to do a fresh npm install
today. Then when my app tried to make an authorized API request, I received this error:
UnauthorizedError: jwt audience invalid. expected: http://localhost:3003/api/
at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/express-jwt/lib/index.js:102:22
at /Users/kimmaida-auth0/Documents/Auth0/Blog/Angular Series/mean-rsvp/node_modules/jsonwebtoken/verify.js:27:18
at _combinedTickCallback (internal/process/next_tick.js:67:7)
at process._tickCallback (internal/process/next_tick.js:98:9)
Nothing whatsoever has changed except the fresh npm install
. The JWT audience is exactly what it should be.
About this issue
- Original URL
- State: open
- Created 7 years ago
- Comments: 16
I was able to fix this by changing
audience
toaud
, like so:Another user had previously discovered that they needed to do this and they left a comment in the Auth0 blog to that effect. This was a while back.
I’ve now confirmed that this is required to fix the unauthorized API access error in multiple repos.
Ideally, it should accept both
audience
andaud
, because now there are users using both / either depending on what version of express-jwt they’re using, and whether or not they’ve run into this issue yet.UPDATE: This is not a fix, it’s a bypass. Please do not do this.
Came here and realized my ignorance of ID Token vs Access Token. This post helped clear things up for me:
https://community.auth0.com/t/what-is-the-difference-between-idtoken-accesstoken/10843
Was experiencing this. Was my failure of using my
id_token
rather than myauthorizationToken
.i always got the error when decoding the ID_TOKEN instead of access_token so i found out that the audience set in the ID_TOKEN is no the same than the one set on the access_token : https://github.com/auth0/auth0.js/issues/473#issuecomment-316982867
Copying straight from the example generated by the quickstart, I got the “jwt audience invalid”. I had to change “audience” to “aud” too to get it working.
±- express@4.16.2 ±- express-jwt@5.3.0 ±- jwks-rsa@1.2.1