Add email of the user to the access-token using rules

naman.chaturvedi · May 26, 2022, 11:33am

I am trying to add email of the user in the access_token using an inbuilt rule. It is working while trying the rule but not working with the API. And the access token that I get from oauth/token endpoint doesn’t contain the email address.
This is how I have defined the rule:

And in the try this rule feature the email gets added to the output:-

And this is how I am fetching the token:-

But in the decoded access token there is no email:-

I have also tried using the /userInfo endpoint to fetch the user details but it gives the response as ‘Unauthorized’.

Please help me as soon as possible. Any insights would be greatly appreciated.

john.gateley · May 26, 2022, 1:17pm

Hi @naman.chaturvedi

A few things:

Make sure you are using the right tenant. If you are using a different tenant, the rule won’t be there of course.

You should change your client secret, since it is in the screenshot you included.

Try the real time webtask logs extension (available in your dashboard’s extension tab) and put some console.log statements in. I think you will find that the rule is not being executed when you invoke from the API, and this is almost always due to it being the wrong tenant.

John

naman.chaturvedi · May 26, 2022, 5:55pm

Hi @john.gateley
Thanks for your reply.

I only have one tenant which I created while signing up on Auth0. So there is no chance that the tenant would be different.

I have changed the client secret. Thanks for pointing it out.

I tried webtask logs extension but it doesn’t show much information when I generate a token, as you can see:

I also want to point out that the application that I am using is a machine to machine application. And I checked Monitoring> Logs section there and it looked like this:
{
“date”: “2022-05-26T17:39:40.244Z”,
“type”: “seccft”,
“description”: “Client Credentials for Access Token”,
“connection_id”: “”,
“client_id”: “VfwvxS1############MMd0G”,
“client_name”: “icar (Test Application)”,
“ip”: “49.#######.125”,
“user_agent”: “Other 0.0.0 / Other 0.0.0”,
“details”: {
“actions”: {
“executions”: [
“TqSNq8DKR#############MjIwNTI2”
]
}
},
“hostname”: “dev-a2z9f75t.us.auth0.com”,
“user_id”: “”,
“user_name”: “”,
“audience”: “https://i-car/api”,
“scope”: null,
“log_id”: “90020220526173944733###########34572255890636818”,
“_id”: “900202205261739447332#############11534572255890636818”,
“isMobile”: false
}

And in the Action Details tab I saw that the action that I created to do the same thing got executed but in the Access token email is still not available. The action I created looked like this:

And in the login fow I can see Rules(Legacy) but not in M2M flow. So can any of this be the reason that I can’t see email in Access token?

john.gateley · May 31, 2022, 2:31pm

Hi @naman.chaturvedi

With M2M/Client credentials, the rules don’t fire. Instead you must use the Client Credentials hook (or the equivalent in Auth0 Actions).

But there is no user associated with M2M, so you cannot get an email address. So I am confused on what you are trying to do.

John

jpm-homebug · May 31, 2022, 3:55pm

This is really interesting as I am hitting the exact same issue.

I’m using all these methods to authenticate users:

My SPA makes many calls to my backend. The data returned depends on the logged in user. So I need to know the email address of the user. For scalability’s sake I do not want to make a call to auth0 every time a call is made to my api.

How is my backend supposed to identify the user accessing my api?

john.gateley · June 1, 2022, 2:18pm

Hi @jpm-homebug

I don’t think you are hitting the same issue - you are not using client credentials as far as I can tell.

When you have a user, you use Auth Code, Auth Code + PKCE or ROPG (not recommended). That looks like what you are using. It should be no issue to have the email there.

However, your user’s email should not be the key used by the back end to look up info. While emails must be unique within a single Auth0 connection, if you have multiple connections, you can have duplicate emails: an email can refer to two distinct users.

John

jpm-homebug · June 1, 2022, 2:48pm

Hi John, thanks for the answer. You are indeed correct, my issue was elsewhere. The Golang library didn’t parse the custom claims from the access token:

github.com/auth0/go-jwt-middleware

Custom claims not decoded

opened 04:29PM - 31 May 22 UTC

closed 01:42PM - 22 Jun 22 UTC

jpmeijers

bug

### Describe the problem Decoded access token does not contain custom claims.… ### What was the expected behavior? I want to see the custom claims that were added by the auth0 actions. ### Reproduction I have an access token that looks like this: ```eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjdOU1ZEMHpoMnJmSG9JWjM3YjBqWiJ9.eyJodHRwczovL2F1dGguZWJ1Zy5jby56YS9lbWFpbCI6ImpwbWVpamVyc0Bob21lYnVnLmNvLnphIiwiaHR0cHM6Ly9hdXRoLmVidWcuY28uemEvZW1haWxfdmVyaWZpZWQiOnRydWUsImlzcyI6Imh0dHBzOi8vYXV0aC5lYnVnLmNvLnphLyIsInN1YiI6ImF1dGgwfDEyMTEiLCJhdWQiOiJodHRwczovL2FwaS5lYnVnLmNvLnphIiwiaWF0IjoxNjU0MDE0MDM2LCJleHAiOjE2NTQxMDA0MzYsImF6cCI6InFyZGJkeGllZGtTQVBtbHhVckw0OTJVSjR3WHRWajVBIiwic2NvcGUiOiJlbWFpbCIsImd0eSI6InBhc3N3b3JkIiwicGVybWlzc2lvbnMiOltdfQ.MvKzvEbmmZRgOOGvG35npCkS3FfDmEJt1dpc_uRey5MZLvuO_a2Z8L-Z7TizVBkWhIHWL8mxopzjI9PLx_VzeexL8XKt7mrg0eiabu6sLlky29pXGjfh1SDDMhV4MTWMc_G94riNs-LfSZ7sevZMOn2TyCGEcSwJf5uW-xbcBQLeHIDMIhm1vAqFvJj_qsE68KFO2O0g1JZbSjakRBUq_aL0CsSpOScKXKk9Bi19L0U_mjYeUxYD24sMyZ6wbOot5_OPgIV3ouBUEuLR8RA0itGj7n22flRdzTR6inAB-KJdQZ7reFcP7YrKzTyrKA5p3nb245sJhvGPGmYIaZSBvw``` I call the golang API which prints out the json marshalled claims: ``` func TestUserAuthedRoute(w http.ResponseWriter, r *http.Request) { claims := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims) log.Println(claims.RegisteredClaims.Subject) payload, err := json.Marshal(claims) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } w.Header().Set("Content-Type", "application/json") w.Write(payload) } ``` The result is: ``` { "CustomClaims": { "scope": "email" }, "RegisteredClaims": { "iss": "https://auth.ebug.co.za/", "sub": "auth0|1211", "aud": [ "https://api.ebug.co.za" ], "exp": 1654100251, "iat": 1654013851 } } ``` I am expecting to see the custom claims, like jwt.io shows when decoding this same access token: ``` { "https://auth.ebug.co.za/email": "jpmeijers@homebug.co.za", "https://auth.ebug.co.za/email_verified": true, "iss": "https://auth.ebug.co.za/", "sub": "auth0|1211", "aud": "https://api.ebug.co.za", "iat": 1654014036, "exp": 1654100436, "azp": "qrdbdxiedkSAPmlxUrL492UJ4wXtVj5A", "scope": "email", "gty": "password", "permissions": [] } ``` ### Environment - **Version of `go-jwt-middleware` used:** github.com/auth0/go-jwt-middleware/v2 v2.0.1 - **Other modules/plugins/libraries that might be involved:**

How would you suggest I identify users? The only unique value I see is the sub field.

If I have a database where I need to give specific users access to specific lines in a table (many-to-many), I was thinking of having a table of email addresses, linked to the specifc foreign keys. Should I rather use the value in the sub field to do this linking? When using the email address I can grant permissions before a user registered. If I use the sub field I would require the user to log in at least once so I can store the sub value. Storing email addresses in my table seems cleaner than storing sub values.

john.gateley · June 1, 2022, 3:22pm

There are two basic approaches:

Use the sub field and store that value in your DB
Use your internal user ID, and store that value in the user’s app metadata in Auth0 and return it in the access and ID tokens

Using email addresses will introduce security risks if you ever have more than one connection.

Consider: you have a Facebook social connection and an email/password connection:

User john@example.com signs in to your app for the first time with a facebook login
Your app creates an entry for user “john@example.com”
Evil hacker signs up for your app using email and password, with email “john@example.com”
Your app backend adds that to your existing entry for “john@example.com”
Evil hacker has now compromised that account.

Granting permissions before you have identified a user sounds dangerous to me - since you haven’t identified the user, you are not sure who you are granting permissions to.

John

jpm-homebug · June 2, 2022, 8:06am

Ahh really interesting. But doesn’t the whole “verify email” prevent this scenario? In other words if I verified the email, I can trust the user has access to the email account, and therefore it is not a hacker.

john.gateley · June 2, 2022, 1:57pm

No, verification isn’t sufficient. The owner of the email account gets an email saying “is this your account”, and probably clicks “yes it is”, since it really is.

This is a pernicious attack, and it is worthwhile setting up your system to not be vulnerable at the beginning.

John

ervinjelvos9 · June 2, 2022, 7:53pm

When you have a user, you use Auth Code, Auth Code + PKCE or ROPG (not recommended). That looks like what you are using. It should be no issue to have the email there.

However, your user’s email should not be the key used by the back end to look up info. While emails must be unique within a single Auth0 connection, if you have multiple connections, you can have duplicate emails: an email can refer to two distinct users.