I am trying to add email of the user in the access_token using an inbuilt rule. It is working while trying the rule but not working with the API. And the access token that I get from oauth/token endpoint doesn’t contain the email address.
This is how I have defined the rule:
Make sure you are using the right tenant. If you are using a different tenant, the rule won’t be there of course.
You should change your client secret, since it is in the screenshot you included.
Try the real time webtask logs extension (available in your dashboard’s extension tab) and put some console.log statements in. I think you will find that the rule is not being executed when you invoke from the API, and this is almost always due to it being the wrong tenant.
I only have one tenant which I created while signing up on Auth0. So there is no chance that the tenant would be different.
I have changed the client secret. Thanks for pointing it out.
I tried webtask logs extension but it doesn’t show much information when I generate a token, as you can see:
I also want to point out that the application that I am using is a machine to machine application. And I checked Monitoring> Logs section there and it looked like this:
{
“date”: “2022-05-26T17:39:40.244Z”,
“type”: “seccft”,
“description”: “Client Credentials for Access Token”,
“connection_id”: “”,
“client_id”: “VfwvxS1############MMd0G”,
“client_name”: “icar (Test Application)”,
“ip”: “49.#######.125”,
“user_agent”: “Other 0.0.0 / Other 0.0.0”,
“details”: {
“actions”: {
“executions”: [
“TqSNq8DKR#############MjIwNTI2”
]
}
},
“hostname”: “dev-a2z9f75t.us.auth0.com”,
“user_id”: “”,
“user_name”: “”,
“audience”: “https://i-car/api”,
“scope”: null,
“log_id”: “90020220526173944733###########34572255890636818”,
“_id”: “900202205261739447332#############11534572255890636818”,
“isMobile”: false
}
And in the Action Details tab I saw that the action that I created to do the same thing got executed but in the Access token email is still not available. The action I created looked like this:
My SPA makes many calls to my backend. The data returned depends on the logged in user. So I need to know the email address of the user. For scalability’s sake I do not want to make a call to auth0 every time a call is made to my api.
How is my backend supposed to identify the user accessing my api?
I don’t think you are hitting the same issue - you are not using client credentials as far as I can tell.
When you have a user, you use Auth Code, Auth Code + PKCE or ROPG (not recommended). That looks like what you are using. It should be no issue to have the email there.
However, your user’s email should not be the key used by the back end to look up info. While emails must be unique within a single Auth0 connection, if you have multiple connections, you can have duplicate emails: an email can refer to two distinct users.
Hi John, thanks for the answer. You are indeed correct, my issue was elsewhere. The Golang library didn’t parse the custom claims from the access token:
How would you suggest I identify users? The only unique value I see is the sub field.
If I have a database where I need to give specific users access to specific lines in a table (many-to-many), I was thinking of having a table of email addresses, linked to the specifc foreign keys. Should I rather use the value in the sub field to do this linking? When using the email address I can grant permissions before a user registered. If I use the sub field I would require the user to log in at least once so I can store the sub value. Storing email addresses in my table seems cleaner than storing sub values.
Evil hacker signs up for your app using email and password, with email “john@example.com”
Your app backend adds that to your existing entry for “john@example.com”
Evil hacker has now compromised that account.
Granting permissions before you have identified a user sounds dangerous to me - since you haven’t identified the user, you are not sure who you are granting permissions to.
Ahh really interesting. But doesn’t the whole “verify email” prevent this scenario? In other words if I verified the email, I can trust the user has access to the email account, and therefore it is not a hacker.
No, verification isn’t sufficient. The owner of the email account gets an email saying “is this your account”, and probably clicks “yes it is”, since it really is.
This is a pernicious attack, and it is worthwhile setting up your system to not be vulnerable at the beginning.
When you have a user, you use Auth Code, Auth Code + PKCE or ROPG (not recommended). That looks like what you are using. It should be no issue to have the email there.
However, your user’s email should not be the key used by the back end to look up info. While emails must be unique within a single Auth0 connection, if you have multiple connections, you can have duplicate emails: an email can refer to two distinct users.