How to get correct Auth0 bearer token?

Question

I want to get the Auth0 bearer token for my node.js app.

I got the bearer token by doing this:

curl https://myproject.eu.auth0.com/oauth/token --data "client_id=ID&client_secret=SECRET&type=web_server&grant_type=client_credentials"

Which returned me:

{
  "access_token": *BEARER TOKEN*,
  "token_type": "Bearer"
}

Though, if I use that token with postman in the Auth header, it tells me: Invalid token. So how do I get the correct bearer token then?

My server looks like that:

const koa = require('koa');
const route = require('koa-route');
const jwt = require('koa-jwt');
const testRoute = require('./testRoute');

const app = koa();
//Copy pasted those values from my auth0 dashboard
const authentication = jwt({
  secret: new Buffer(*CLIENT_SECRET*, 'base64'),
  audience: *YOUR_CLIENT_ID*
});
app.use(authentication);
app.use(route.get('/test', testRoute));
app.listen(3000);

I followed this guide to set it up: https://auth0.com/docs/quickstart/backend/nodejs/.

Answer 1

The access_token is an opaque token, not a JWT which your application is expecting. If you use scope=openid when making the call to /oauth/token you'll get back an id_token as well, which is a JWT that your API should accept.

You can read more about how the scope parameter works in the context of Auth0 here: https://auth0.com/docs/scopes