Add email of the user to the access-token using rules

I am trying to add email of the user in the access_token using an inbuilt rule. It is working while trying the rule but not working with the API. And the access token that I get from oauth/token endpoint doesn’t contain the email address.
This is how I have defined the rule:

And in the try this rule feature the email gets added to the output:-

And this is how I am fetching the token:-

But in the decoded access token there is no email:-

I have also tried using the /userInfo endpoint to fetch the user details but it gives the response as ‘Unauthorized’.

Please help me as soon as possible. Any insights would be greatly appreciated.

Hi @naman.chaturvedi

A few things:

Make sure you are using the right tenant. If you are using a different tenant, the rule won’t be there of course.

You should change your client secret, since it is in the screenshot you included.

Try the real time webtask logs extension (available in your dashboard’s extension tab) and put some console.log statements in. I think you will find that the rule is not being executed when you invoke from the API, and this is almost always due to it being the wrong tenant.

John

1 Like

Hi @john.gateley
Thanks for your reply.

I only have one tenant which I created while signing up on Auth0. So there is no chance that the tenant would be different.

I have changed the client secret. Thanks for pointing it out.

I tried webtask logs extension but it doesn’t show much information when I generate a token, as you can see:
webtask log

I also want to point out that the application that I am using is a machine to machine application. And I checked Monitoring> Logs section there and it looked like this:
{
“date”: “2022-05-26T17:39:40.244Z”,
“type”: “seccft”,
“description”: “Client Credentials for Access Token”,
“connection_id”: “”,
“client_id”: “VfwvxS1############MMd0G”,
“client_name”: “icar (Test Application)”,
“ip”: “49.#######.125”,
“user_agent”: “Other 0.0.0 / Other 0.0.0”,
“details”: {
“actions”: {
“executions”: [
“TqSNq8DKR#############MjIwNTI2
]
}
},
“hostname”: “dev-a2z9f75t.us.auth0.com”,
“user_id”: “”,
“user_name”: “”,
“audience”: “https://i-car/api”,
“scope”: null,
“log_id”: “90020220526173944733###########34572255890636818”,
“_id”: “900202205261739447332#############11534572255890636818”,
“isMobile”: false
}

And in the Action Details tab I saw that the action that I created to do the same thing got executed but in the Access token email is still not available. The action I created looked like this:


And in the login fow I can see Rules(Legacy) but not in M2M flow. So can any of this be the reason that I can’t see email in Access token?

Hi @naman.chaturvedi

With M2M/Client credentials, the rules don’t fire. Instead you must use the Client Credentials hook (or the equivalent in Auth0 Actions).

But there is no user associated with M2M, so you cannot get an email address. So I am confused on what you are trying to do.

John

1 Like

This is really interesting as I am hitting the exact same issue.

I’m using all these methods to authenticate users:

My SPA makes many calls to my backend. The data returned depends on the logged in user. So I need to know the email address of the user. For scalability’s sake I do not want to make a call to auth0 every time a call is made to my api.

How is my backend supposed to identify the user accessing my api?

Hi @jpm-homebug

I don’t think you are hitting the same issue - you are not using client credentials as far as I can tell.

When you have a user, you use Auth Code, Auth Code + PKCE or ROPG (not recommended). That looks like what you are using. It should be no issue to have the email there.

However, your user’s email should not be the key used by the back end to look up info. While emails must be unique within a single Auth0 connection, if you have multiple connections, you can have duplicate emails: an email can refer to two distinct users.

John

Hi John, thanks for the answer. You are indeed correct, my issue was elsewhere. The Golang library didn’t parse the custom claims from the access token:

How would you suggest I identify users? The only unique value I see is the sub field.

If I have a database where I need to give specific users access to specific lines in a table (many-to-many), I was thinking of having a table of email addresses, linked to the specifc foreign keys. Should I rather use the value in the sub field to do this linking? When using the email address I can grant permissions before a user registered. If I use the sub field I would require the user to log in at least once so I can store the sub value. Storing email addresses in my table seems cleaner than storing sub values.

There are two basic approaches:

  • Use the sub field and store that value in your DB
  • Use your internal user ID, and store that value in the user’s app metadata in Auth0 and return it in the access and ID tokens

Using email addresses will introduce security risks if you ever have more than one connection.

Consider: you have a Facebook social connection and an email/password connection:

  1. User john@example.com signs in to your app for the first time with a facebook login
  2. Your app creates an entry for user “john@example.com
  3. Evil hacker signs up for your app using email and password, with email “john@example.com
  4. Your app backend adds that to your existing entry for “john@example.com
  5. Evil hacker has now compromised that account.

Granting permissions before you have identified a user sounds dangerous to me - since you haven’t identified the user, you are not sure who you are granting permissions to.

John

Ahh really interesting. But doesn’t the whole “verify email” prevent this scenario? In other words if I verified the email, I can trust the user has access to the email account, and therefore it is not a hacker.

No, verification isn’t sufficient. The owner of the email account gets an email saying “is this your account”, and probably clicks “yes it is”, since it really is.

This is a pernicious attack, and it is worthwhile setting up your system to not be vulnerable at the beginning.

John

When you have a user, you use Auth Code, Auth Code + PKCE or ROPG (not recommended). That looks like what you are using. It should be no issue to have the email there.
download alight motion on ios or mac
However, your user’s email should not be the key used by the back end to look up info. While emails must be unique within a single Auth0 connection, if you have multiple connections, you can have duplicate emails: an email can refer to two distinct users.