Authentication API /userinfo missing the user_id

daniele · November 14, 2017, 10:50pm

Hi. I have setup a working webapp to authenticate users with auth0 using Facebook and Google. Everything seem ok but the user_id is always missing or undefined in user profile, both in the webapp callback *(using passport-js) as well in the direct API call.
Please see it yourself:

curl --request GET \
  --url 'https://airwork.eu.auth0.com/userinfo' \
  --header 'authorization: Bearer 16TtWVnZPLjR61UwslPP6-K_bWXUEekS' \
  --header 'content-type: application/json'

Any idea what is going on? Thanks.

daniele · November 14, 2017, 10:54pm

for instance, the output of that curl call is the same I get using the auth0 authentication client in nodejs, using the same webapp id and secret:

var AuthenticationClient = require('auth0').AuthenticationClient;
var auth0 = new AuthenticationClient({
  domain: 'airwork.eu.auth0.com',
  clientId: WEBAPP_ID,
  clientSecret: WEBAPP_SECRET
});    
auth0.getProfile('16TtWVnZPLjR61UwslPP6-K_bWXUEekS')
.then(response => {
  console.log(response)
})
.then(error => {
  console.error(error)
})

jmangelo · November 15, 2017, 12:33am

@daniele I slightly redacted the access token (if you wish you can further redact it yourself or update the question/comment to not include it). Have in mind that editing it may still leave the original one in revisions history so next time consider not posting the real access token and just include the response you obtained (ideally after redacting any info you deem sensitive).

jmangelo · November 15, 2017, 12:35am

The user identifier should be included in the subclaim, if that claim is not present then ensure that you’re including openid as one of the scope values. If that is not the underlying issue more information may be required about client application settings used to obtain the access token for user information endpoint.

yomismo · January 14, 2018, 9:03pm

Is it safe to assume sub as the user_id information ?

jmangelo · January 15, 2018, 10:36pm

In this case it is safe to assume sub will contain a stable user identifier that uniquely identifies the user within the scope of the identity provider (the Auth0 service) as that it’s what the OIDC specification mandates. At this time, the sub claim is filled with the user_id information and is unlikely to change, but the most useful characteristics are the ones mandated by the spec; unique and stable (does not change across the lifetime of the end-user account).