hey all ,
I setup both an application and an API with auth0. Plus everything seems to be working as expected and jwtCheck is working. the issue is that they payload for the jwt has nothing about user identity. If I’m building a simple todo app, I need way to make sure that authorized users can only CRUD thier own recourses.
My question is how to add user info like user_id
to the accessToken?
Hi @Fawwaz-2009
Welcome to the Auth0 Community, it’s great to have you here.
The sub claim of an Access Token obtained on login should contain the user_id. If you need more user information you can use the access token to call the userinfo endpoint, more information here https://auth0.com/docs/secure/tokens/access-tokens#sample-access-token
Warm regards.
1 Like
Hey @SaqibHussain thanks so much for the quick reply much appreciated .
maybe I should’ve clarified by access token I meant the access token returned by the oauth/token
.
I’m using the access_token
from the endpoint to call an external API protected by Auth0. unfortunately the payload for that token has no info about the user, WDYT?
Hi @Fawwaz-2009
This should work without issue, please try the Authorization Code Flow as an example:
https://YOUR-DOMAIN/authorize?&response_type=code&client_id=YOUR-CLIENT-ID&redirect_uri=http://jwt.io&scope=read:users&audience=https://testapi.com
Take the code returned from the browser and pass it into the curl below
curl --request POST \
--url 'https://YOUR-DOMAIN/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=authorization_code&client_id=YOUR-CLIENT-ID&client_secret=YOUR-CLIENT-SECRET&code=CODE-RETURNED&redirect_uri=http://jwt.io'
This will deliver
{
"iss": "https://YOUR-DOMAIN/",
"sub": "auth0|61e99362072c07006a9e4d47",
"aud": "https://testapi.com",
"iat": 1663309296,
"exp": 1663395696,
"azp": "gdKJLq8Zcs6ODhXP3NVGtfI1cTTOmzTE",
"scope": "read:users"
}
The sub claim will contain the user_id.
I hope this helps.
Warm regards.