Access the raw Access Token/JWT in my backend API and get all claims

andreas.lundgren · February 20, 2023, 4:56pm

I have some custom state encoded as a claim in my Access Token (JWT) for quick access in the backend. User is logged in via our SPA or apps, and sends the Access Token to the Backend. I have backend in Node/JS and in Python, but in the provided SDK:s, I cannot find a method to fetch back the provided claims (with my custom “state”) in the JWT.

I can of course just read the token from the request header myself, maybe that is the recommended way?

Details
I use a Login Flow of Auth0 to attach some more information to the JWT. This will speed up my backend as the most used pieces of the state is stored directly in the JWT. Now most backend calls can be served after just examining the JWT, without the delay of getting additional user info from the auth0 API or from some session cache in my backend.

Switching from a proprietary solution to auth0, I have a hard time finding a method in any of the backend SDK:s to fetch back the claims from the access token. From the Frontend I can verify that the JWT is correct using (from the example code) auth0Client.getTokenSilently(). In the backend, this method is not usable since I don’t want for a new token, just access the one that was attached in the Authorization Bearer header of the request.

spoudel · February 20, 2023, 8:07pm

You could access the claims of token from User Object. Hopefully, this link answers your question.

andreas.lundgren · February 21, 2023, 5:43am

Sorry for missing an important piece, I let the user authenticate in an SPA. This is not a Machine-to-machine authentication. So in the backend, I don’t have access to the ID Token. Only the Access Token.

I send the Access Token to the backend, like this in my frontend/browser code:

    // Get the access token from the Auth0 client
    const token = await auth0Client.getTokenSilently();

    // Make the call to the API, setting the token
    // in the Authorization header
    const response = await fetch("/api/external", {
      headers: {
        Authorization: `Bearer ${token}`
      }
    });

andreas.lundgren · March 2, 2023, 8:32am

To answer my own question for the future, The Access Token, unless specified to be opaque as per this description, is a regular JWT as per this description.

Thus any library, for example one listed on jwt.io can be used to extract claims (and validate) an Access Token. For some languages/frameworks, Auth0 specific libraries seams to exist, like Node Express

konrad.sopala · March 2, 2023, 11:54am

Thanks for sharing it with the rest of community!

system · March 16, 2023, 11:55am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I get a JWT for an authenticated user which has gone through the Post Login Action (for setting custom claims)? Help apis , application	4	2594	November 28, 2023
Please expose JWT from auth0-spa-js Help jwt , auth0 , auth0-spa-js	4	3255	March 11, 2020
Use JWT Access-Token from SPA SDK Login for backend API verification JWT.io jwt , auth0 , api , login , access-token	1	2858	February 7, 2022
How to obtain id_token with auth0-spa-js Help spa	20	22066	February 27, 2020
How to securely access custom backend API after SPA authentication? Help classic-universal-login-experience , login-experience	6	3389	May 9, 2023

Access the raw Access Token/JWT in my backend API and get all claims

Related Topics