accessToken doesn't include any identity info (user_id)

hey all :wave: ,

I setup both an application and an API with auth0. Plus everything seems to be working as expected and jwtCheck is working. the issue is that they payload for the jwt has nothing about user identity. If I’m building a simple todo app, I need way to make sure that authorized users can only CRUD thier own recourses.

My question is how to add user info like user_id to the accessToken?

image

Hi @Fawwaz-2009

Welcome to the Auth0 Community, it’s great to have you here.

The sub claim of an Access Token obtained on login should contain the user_id. If you need more user information you can use the access token to call the userinfo endpoint, more information here https://auth0.com/docs/secure/tokens/access-tokens#sample-access-token

Warm regards.

1 Like

Hey @SaqibHussain thanks so much for the quick reply much appreciated :slight_smile: .

maybe I should’ve clarified by access token I meant the access token returned by the oauth/token.

I’m using the access_token from the endpoint to call an external API protected by Auth0. unfortunately the payload for that token has no info about the user, WDYT?

image
image
image

Hi @Fawwaz-2009

This should work without issue, please try the Authorization Code Flow as an example:

https://YOUR-DOMAIN/authorize?&response_type=code&client_id=YOUR-CLIENT-ID&redirect_uri=http://jwt.io&scope=read:users&audience=https://testapi.com

Take the code returned from the browser and pass it into the curl below

curl --request POST \
  --url 'https://YOUR-DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code&client_id=YOUR-CLIENT-ID&client_secret=YOUR-CLIENT-SECRET&code=CODE-RETURNED&redirect_uri=http://jwt.io'

This will deliver

{
  "iss": "https://YOUR-DOMAIN/",
  "sub": "auth0|61e99362072c07006a9e4d47",
  "aud": "https://testapi.com",
  "iat": 1663309296,
  "exp": 1663395696,
  "azp": "gdKJLq8Zcs6ODhXP3NVGtfI1cTTOmzTE",
  "scope": "read:users"
}

The sub claim will contain the user_id.

I hope this helps.

Warm regards.