How can I access the raw ID token JWT from the SPA SDK? I need to pass a JWT with custom claims to Hasura.
Did you try one of the quick start packages? API and SPA Configuration (SPAs + API) or Auth0 Single-Page App Quickstarts for other languages.
You should give you access token on ->authorize() . Unless you are doing the Authorization Code Flow, Authorization Code Flow with Proof Key for Code Exchange (PKCE)
where you get code in callback url param and you exchange it in another call to get id_token and access_token.
FYI, it is not best practice to send id_token to other applications.
Why exactly is it bad practice to use the ID Token for authentication in another app? I’m using GraphQL on serverless, which means I can’t afford to do a http request on every single call to my endpoint in order to verify an access token and get a person’s information. I can however, include a cert to verify an ID Token is valid and use it to pull out a user’s information from my own database.
Ref Is there a best practice for what info can be in access token - #2 by baskarrao.dandlamudi – where they say that you can use either if backend is your own and not some 3rd party service.
and for http request on every single call to my endpoint in order to verify an access token
– I think how we do it it is we generate a JWT access_token and not the string one. We have rules that add additional info to access_token jwt that graphql can use.
In graphql or other api we verify the jwt is valid (there are libs) and once verified we decode it to get that info which can be used to make further calls / lookup.
Since jwt access_token will be sent in from browser as headers to graphql / api, we kept info in jwt such that if someone malicious get access to that JWT and decode it those ids would mean nothing to them. Also due to the expiry time they might be able to use that JWT access_token and call my graphql directly (that is assuming they know the graphql) only for a period of 10 mins or so.