I have some custom state encoded as a claim in my Access Token (JWT) for quick access in the backend. User is logged in via our SPA or apps, and sends the Access Token to the Backend. I have backend in Node/JS and in Python, but in the provided SDK:s, I cannot find a method to fetch back the provided claims (with my custom “state”) in the JWT.
I can of course just read the token from the request header myself, maybe that is the recommended way?
Details
I use a Login Flow of Auth0 to attach some more information to the JWT. This will speed up my backend as the most used pieces of the state is stored directly in the JWT. Now most backend calls can be served after just examining the JWT, without the delay of getting additional user info from the auth0 API or from some session cache in my backend.
Switching from a proprietary solution to auth0, I have a hard time finding a method in any of the backend SDK:s to fetch back the claims from the access token. From the Frontend I can verify that the JWT is correct using (from the example code) auth0Client.getTokenSilently(). In the backend, this method is not usable since I don’t want for a new token, just access the one that was attached in the Authorization Bearer header of the request.
Sorry for missing an important piece, I let the user authenticate in an SPA. This is not a Machine-to-machine authentication. So in the backend, I don’t have access to the ID Token. Only the Access Token.
I send the Access Token to the backend, like this in my frontend/browser code:
// Get the access token from the Auth0 client
const token = await auth0Client.getTokenSilently();
// Make the call to the API, setting the token
// in the Authorization header
const response = await fetch("/api/external", {
headers: {
Authorization: `Bearer ${token}`
}
});
To answer my own question for the future, The Access Token, unless specified to be opaque as per this description, is a regular JWT as per this description.
Thus any library, for example one listed on jwt.io can be used to extract claims (and validate) an Access Token. For some languages/frameworks, Auth0 specific libraries seams to exist, like Node Express