1

I took this project as starting point: https://github.com/auth0-samples/auth0-python-web-app

According to https://auth0.com/docs/tokens/access-token, I am supposed to get a JWT if I set the audience to an URL pointing to a custom API. This is exactly what I have done, but still I only get an opaque Access Token, as if the audience would still point to abc.eu.auth0.com/userinfo

I wonder, if I need to do something else to get the JWT?

I have already tried to add "access_token_params":

 auth0 = oauth.remote_app(
    'auth0',
    consumer_key=AUTH0_CLIENT_ID,
    consumer_secret=AUTH0_CLIENT_SECRET,
    access_token_params={
        'scope': 'openid profile',
        'audience': AUTH0_AUDIENCE
    },
    request_token_params={
        'scope': 'openid profile',
        'audience': AUTH0_AUDIENCE
    },
    base_url='https://%s' % AUTH0_DOMAIN,
    access_token_method='POST',
    access_token_url='/oauth/token',
    authorize_url='/authorize',
)

Sadly, no success. I would be glad if you could give me hints what I might have missed.

Improve this question

1 Answer 1

Reset to default
2

You do not need the access_token_parameters argument in the remote_app definition.

Within your callback route the code should look something like this:

@app.route('/auth/callback/')
def auth_callback():
    response = auth0.authorized_response()
    print(response.get("id_token"))

The response from this call is a dictionary which contains the access_token as well as an id_token which is the JWT

If you intend to get information out of this JWT you need to parse it with an appropriate 3rd party library. There are several available... you can also validate the token (e.g. see the contents) through this website:

https://jwt.io/ (paste the output of the "print" command above into the debugger)

There is also a list of python libraries and their capabilities below their JWT debugger on this site.

It, roughly, contains the same information that you get when you exchange the access_token with the /userinfo/ endpoint to get a user's profile.

Also...

I found, when I switched from using the Lock library to the Flask-OAuthlib library that I needed to add "email" into the scope parameter. This depends on the connection types you allow, but my scope now looks like: "openid profile email"

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.