Authentication Challenge: Invalid Sign Token Issue in Production

Questions OAuth/OIDC
1
  1. Auth0 Setup: I’ve successfully integrated Auth0 into our application, and during the development phase, everything worked seamlessly. The authentication process was smooth on my localhost, and I was able to validate user identities without any issues.
  2. Localhost Testing: Prior to deployment, I rigorously tested the application on my localhost, and the Auth0 integration performed as expected. Access tokens were generated correctly, and the authentication flow was flawless.

Screenshot 2023-12-13 at 11.05.25 AM
Screenshot 2023-12-13 at 11.05.25 AM2552×1496 470 KB

Production Deployment Issues: However, the real challenge arose when I took the application live on our test server. Strangely, I started receiving “Invalid Sign Token” errors from Auth0. This was unexpected, especially considering the successful testing on localhost.

Auth0 logs:

Screenshot 2023-12-13 at 11.08.03 AM
Screenshot 2023-12-13 at 11.08.03 AM2138×540 42.8 KB

This issue is a roadblock in our deployment process, and I’m seeking assistance in resolving it promptly. I’ve reviewed the configuration settings and ensured that the audience and redirect URLs are correctly configured for the live environment.

If anyone has encountered a similar challenge or has insights into why the access token is being flagged as invalid during production deployment, I would greatly appreciate your input. It’s crucial for us to address this issue to ensure a smooth and secure authentication process for our users.

Looking forward to your guidance on this matter.

2

You can get assistance for CIC (fka Auth0) in its community forum: https://community.auth0.com/

1 Like
3

Hi, can you help to find out the exact issue and resolve.
what are the other details you need let me know so I can provide.
your help would be appreciated

4

Hey there @javed ! Ty here, I work on the CIC (Auth0) side of the house.

Is the screenshot shared the result of pasting a prod access token into jwt.io? By the looks of it, it’s an opaque access token - Can you confirm an audience param is being passed in the authorize request?

Are you receiving invalid signature errors anywhere in your application code? If so, where and which SDK/library are you using to validate/verify access tokens?

Keep us posted!

5

Hi,
this is my back end credentials for the authentication with express-oauth2-jwt-bearer this package the commented line is used on production server and for the localhost test we used that value and in the localhost we get the proper accesstoken and auth flow for the users.

const { auth } = require(“express-oauth2-jwt-bearer”)

const checkJwt = auth({
audience: env[“AUTH0_AUDIENCE”],
issuerBaseURL: env[“AUTH0_URL”],
tokenSigningAlg: “RS256”
})

global.checkJwt = checkJwt
// use this as a middleware to authenticate user

then in the front vue.js
this is my credentials
VUE_APP_AUTH_DOMAIN=dev-p2nzx358mzjxza05.us.auth0.com
VUE_APP_AUTH_CLIENT_ID=9AMyihewZZioyMainaAOKhUdTWLBmmEW
VUE_APP_AUTH_REDIRECT_URL=http://localhost:8080
VUE_APP_AUTH_AUDIENCE=http://localhost:8080

VUE_APP_AUTH_REDIRECT_URL=https://test.d3lgj0d71l44yp.amplifyapp.com

VUE_APP_AUTH_AUDIENCE=https://test.d3lgj0d71l44yp.amplifyapp.com

this is the code for the login. and package

const domain = process.env.VUE_APP_AUTH_DOMAIN;
const clientId = process.env.VUE_APP_AUTH_CLIENT_ID;
const redirect_uri = process.env.VUE_APP_AUTH_REDIRECT_URL;
const audience = process.env.VUE_APP_AUTH_AUDIENCE;
import { Auth0Client } from ‘@auth0/auth0-spa-js’;
import loginService from ‘…/services/loginService’;

const auth0 = new Auth0Client({
domain: ${domain},
clientId: ${clientId},
authorizationParams: {
redirect_uri: ${redirect_uri},
audience: ${audience},
},
});

note: do not worry about credentials sharing since it is mean for the testing after it worked we gonna set up new one for the production and testing server

6

Thanks for sharing!

Are you receiving invalid signature errors anywhere in your application code? If so, where and which SDK/library are you using to validate/verify access tokens?

In your prod application, can you please share the /authorize request and subsequent params being passed? The easiest way to do this is just to open up developer tools in whichever browser you are working in an inspect the network tab. For example:

Screenshot 2023-12-15 at 2.38.45 PM
Screenshot 2023-12-15 at 2.38.45 PM992×676 103 KB

7

just affter sign in we got token which I showed you pasting in the jwt.io
after that this is the authorize request you are asking for.

image
image1302×1368 167 KB

for authenticating in backend we are using “express-oauth2-jwt-bearer” package available in npm
and in the front end to generate access token we are using “auth0/auth0-spa-js” package available in npm

8

Hey @javed I apologize for the delayed response here - It doesn’t look like an audience param is being passed in the authorize request by the looks of the screenshot. You’ll want to take another look at how you are configuring Auth0 in the Vue.js SDK to make sure the audience param is getting included: