Really Got Stuck

Using Auth0 for authentication with cf workers as resource server, got really stuck, so writing a memo.

Auth0 is an IdP, like AWS Cognito.

Token is Wrong

Client app was Flutter. Initially forgot about the audience claim.

Without audience claim set, Auth0 authentication still passes. And tokens still return…

It’s JWT, but JWE?

eyJh....

Token returning looked like normal (unencrypted) JWT, implemented server-side accordingly, but errors on connection.

Looking closer, it was JWE (encrypted token).

Where’s the Shared Key?

JWE header is readable:

{ "alg": "dir", "enc": "A256GCM", "iss": "https://....us.auth0.com/" }

Thought OK, Auth0 uses shared key method for resource server verification.

A256GCM needs 256-bit shared key, but dashboard client secret is 512 bits. Is it base64 encoded? No, just threw errors.

Discovered

This JWE is an “opaque token.”

https://community.auth0.com/t/decode-jwes-access-token/107508/3

Basically not normally used.

Trying audience

final credentials = await auth0.webAuthentication().login(
  audience: 'https://example.com',
);

OTHER: An unexpected error occurred. CAUSE: Service not found:

This error occurs when audience claim value isn’t configured in Auth0. Makes sense since I was asking where to set it.

APIs is Too Confusing

I thought APIs was for direct user banning/creation, but it’s also needed for audience configuration.

The identifier value corresponds to this. Also thought APIs and Applications were completely independent, but they’re not; could use Native App client ID without special settings.

Re-request

Requesting again returns normal (unencrypted) JWT. OK.