Invoking fetchUserInfo when using Auth0

[zam6ak]

Hi

I am using openid-client v6.4.2 with Node.js web application (not SPA) that uses Express.js v5.1.0 and PassportJS v0.7.0 (all the latest as of this post).
The IdP I am integrating with is Auth0...

Everything is working as expected except for one route in my app where I need to make a call to UserInfo endpoint.
To make the call I need to supply access token to fetchUserInfo() method
https://github.com/panva/openid-client/blob/main/docs/functions/fetchUserInfo.md

However, I have noticed that Auth0 does not issue valid access_token during authorization code flow.
I get ID token and I get access token but the access token has empty payload.
According to Auth0 docs, to get full access token, one must supply audience during authorization request.
And I don't see a way to specify audience parameter in Passport strategy or elsewhere...

Is there a way to specify audience in the above setup in order to get access_token and be able to call fetchUserInfo() ?

P.S.
I am aware that I could use "express-openid-connect" package from Auth0, but I am trying to keep my app agnostic from IDP specific libraries.
For example, the same app in question works just fine if I use Keycloak as IdP.

[panva]

However, I have noticed that Auth0 does not issue valid access_token during authorization code flow.

I find that hard to believe. Not sure what you mean by "valid" here.

but the access token has empty payload.

Auth0 issues opaque access tokens when no audience is specified. And those tokens are valid for the UserInfo Endpoint given they were issued in response to an authorization request with the openid value amongst its scope authorization parameter.

Bottom line, your existing access token should work just fine. Lacking any further details from you it's hard to say why it doesn't.

to get full access token, one must supply audience during authorization request.

What do you mean by "full"? Specifying an audience means the access token will be a signed JWT for a target API (indicated by the audience authorization parameter). In addition to that, if the API configuration at Auth0 is done so that the token is signed using an asymmetric digital signature algorithm, such as RS256, that token will also have the userinfo endpoint as its audience (in addition to the API).

And I don't see a way to specify audience parameter in Passport strategy or elsewhere...

The strategy's authorizationRequestParams method is the place to overload and add parameters to, if you want these to be dynamic per whatever .authenticate() call you make, its argument /TOptions/ will be the params passed to .authenticate()

I am aware that I could use "express-openid-connect" package from Auth0, but I am trying to keep my app agnostic from IDP specific libraries.

As indicated by the name not including "auth0", express-openid-connect is an idp-agnostic library much like this one. And FWIW I am also affiliated with Auth0, that being said my libraries pre-date said affiliation.

[zam6ak]

I find that hard to believe. Not sure what you mean by "valid" here.

I should have clarified.
The access token issued by Auth0 (when you don't specify audience) is missing payload part (only header and signature are present).
At the first glance, it appeared to me as "invalid", but the proper term should have been (as you indicated) "opaque"

Bottom line, your existing access token should work just fine.

I can confirm, this works - using the same opaque access_token, I was able to issue fetchUserInfo() and get the response!
Having dealt with other IdP (primarily Keycloak) I didn't expect token missing payload to work, so this is on me.

...

The strategy's authorizationRequestParams method is the place to overload and add parameters to, if you want these to be dynamic per whatever .authenticate() call you make, its argument /TOptions/ will be the params passed to .authenticate()

Thank you for the pointer! This helps...
Although I am curious, after looking at the code, I could be passing audience via options arg during login via:
passport.authenticate(oidcServerURL.hostname, {..options})(req, res, next);
but it seems that only 2 properties are allowed (scope, and prompt)....
I am guessing this is intentional and one must override the method....

As indicated by the name not including "auth0", express-openid-connect is an idp-agnostic library much like this one.

I didn't realize this would work with other IdP... I can try it when I get a chance/
I did notice that library has dependency on "openid-client": "^4.9.1"

Again, thanks for the help
Z

[panva]

Although I am curious, after looking at the code, I could be passing audience via options arg during login via: passport.authenticate(oidcServerURL.hostname, {..options})(req, res, next);
but it seems that only 2 properties are allowed (scope, and prompt)....

Those types come from @types/passport.

import type passport from 'passport'
export class Strategy implements passport.Strategy { }

I am guessing this is intentional and one must override the method....

Yes.