Access the raw Access Token/JWT in my backend API and get all claims

andreas.lundgren · February 20, 2023, 4:56pm

I have some custom state encoded as a claim in my Access Token (JWT) for quick access in the backend. User is logged in via our SPA or apps, and sends the Access Token to the Backend. I have backend in Node/JS and in Python, but in the provided SDK:s, I cannot find a method to fetch back the provided claims (with my custom “state”) in the JWT.

I can of course just read the token from the request header myself, maybe that is the recommended way?

Details
I use a Login Flow of Auth0 to attach some more information to the JWT. This will speed up my backend as the most used pieces of the state is stored directly in the JWT. Now most backend calls can be served after just examining the JWT, without the delay of getting additional user info from the auth0 API or from some session cache in my backend.

Switching from a proprietary solution to auth0, I have a hard time finding a method in any of the backend SDK:s to fetch back the claims from the access token. From the Frontend I can verify that the JWT is correct using (from the example code) auth0Client.getTokenSilently(). In the backend, this method is not usable since I don’t want for a new token, just access the one that was attached in the Authorization Bearer header of the request.

spoudel · February 20, 2023, 8:07pm

You could access the claims of token from User Object. Hopefully, this link answers your question.

andreas.lundgren · February 21, 2023, 5:43am

Sorry for missing an important piece, I let the user authenticate in an SPA. This is not a Machine-to-machine authentication. So in the backend, I don’t have access to the ID Token. Only the Access Token.

I send the Access Token to the backend, like this in my frontend/browser code:

    // Get the access token from the Auth0 client
    const token = await auth0Client.getTokenSilently();

    // Make the call to the API, setting the token
    // in the Authorization header
    const response = await fetch("/api/external", {
      headers: {
        Authorization: `Bearer ${token}`
      }
    });

andreas.lundgren · March 2, 2023, 8:32am

To answer my own question for the future, The Access Token, unless specified to be opaque as per this description, is a regular JWT as per this description.

Thus any library, for example one listed on jwt.io can be used to extract claims (and validate) an Access Token. For some languages/frameworks, Auth0 specific libraries seams to exist, like Node Express

konrad.sopala · March 2, 2023, 11:54am

Thanks for sharing it with the rest of community!

Topic		Replies	Views
Custom claims in access token with auth0-spa-js Get Help	4	4566	April 23, 2020
How to add custom user claim to access token for API? (Authorization Code Grant) JWT.io jwt , api , login	7	24532	January 7, 2019
How to unpack the access token? Get Help jwt	2	3343	June 30, 2020
How do I get a JWT for an authenticated user which has gone through the Post Login Action (for setting custom claims)? Get Help apis , application	4	5350	November 28, 2023
Can I get custom claims from another source? JWT.io	2	4390	July 26, 2019

Access the raw Access Token/JWT in my backend API and get all claims

Related topics