Auth0 Token Auth Returning "undefined" Token

Queries and Resources
, , ,
1

  • Goal: Create a new GraphQL resource using Auth0 Client Credentials Flow for a new API we've created

  • Steps:

  1. Created a new "API" in Auth0 for our new GraphQL API
  2. Granted access to the API to our "Retool" client "Application" in Auth0
  3. Created a new GraphQL Resource in Retool.
  4. Entered the new API URL
  5. Selected "Auth0 Client Credentials" as the authentication mechanism for the API
  6. Entered the Client ID, Client Secret, and Audience from Auth0 to authenticate the Retool application for the new API audience.
  7. Click "Test Connection".
  8. See connection failed errors.

When I debug the request, I see that Retool is properly setting an Authorization header on the request, but it says "------ sanitized ------ " in the console. Fair enough. So I added temporary logging while we set this up to our API to log out the headers. The log says: Authorization: Bearer undefined as the header. If I go back and remove the Auth0 Client Credentials authentication mechanism from the resource and manually input a JWT generated from Auth0 for that App/API combo into the Authentication header for the resource everything works fine and the proper token is logged out in my app.

  • Details:
    I've tried a lot of things to debug this. I've created a new Application in Auth0 just for this API, that didn't work. I've duplicated an existing Resource that should have the exact same configuration as this Resource with the exception of the Base URL and audience. That didn't work, but it didn't work in a different way, it was sending an Auth0 JWT token to my API, but it was a cached one from the original resource! It had the wrong audience so my API won't accept it.

  • Screenshots: Unfortunately due to the sensitive nature of this kind of configuration I don't feel like publicly sharing any screenshots.

2

I've just taken a look at the Auth0 logs and I see that Retool has successfully done the client credentials exchange to get a token, but again, for some reason, that token isn't making it to my Authorization header.

3

Well... after doing nothing, it just started working?

:man_shrugging:

It'd be really great if we had more visibility into what's going on here so that we could debug things. I guess we can close out this "ticket".

4

Hello @noseworthy!

Sorry about the confusion, Retool does obfuscate confidential data for security purposes as you saw with the "------ sanitized ------ " in the console log.

But this can definitely be a double edged sword when it comes to trouble shooting and debugging.

I can raise this internally to see if we can have a 'troubleshooting' mode to help users see what tokens are being passed and display the cache to see how things are being stored. As well as where the token data is when being passes from the credentials exchange to the Auth header!

Glad everything worked and also not sure why it was returning undefined at the start :sweat_smile:

1 Like