Trusting the id_token sent to API from a SPA

Hello,



I’m building a single page app that makes requests to an API endpoint.


I followed this tutorial and implemented a login screen with auth0.WebAuth in JS.


After a successful login, I attach the access_token to all subsequent requests to my API server.


However, the API server needs to know the roles of the user. The recommendation is to make a request to /userinfo from the server with the passed acces_token in order to get the id_token.


Why can’t I just pass the id_token from the SPA inside the request and use its contents? This way I can avoid unnecessary requests to Auth0.



Thanks,


Edi Buslovich.

Finally, according to the answer here Get user data server side - Auth0 Community
, I created a rule to insert the user roles into the access token:

    function (user, context, callback) {
      var namespace = 'https://mydomain.com/';
      context.accessToken[namespace + 'roles'] = user.app_metadata.roles;
      callback(null, user, context);
    }