Auth0 Code Flow Questions

I am new to Auth0. I have tried the quick start with WebApp app in Nodejs. All code is working and I am using my GitHub account to login. I have though some conceptual questions:

  1. using the code flow I assume that Auth0 is exchanging the ID_Token with GitHub, validate it with publick key of GitHub and finally change it in one signed by itself, right?

  2. in this part of code:

router.get(‘/callback’, function (req, res, next) {
passport.authenticate(‘auth0’, function (err, user, info) {
if (err) { return next(err); }
if (!user) { return res.redirect(‘/login’); }
req.logIn(user, function (err) {
if (err) { return next(err); }
const returnTo = req.session.returnTo;
delete req.session.returnTo;
res.redirect(returnTo || ‘/user’);
})(req, res, next);

where I assume Auth0 is getting the ID_Token from GitHub after authentication and it creates its own one. If so, I would like to print/log the Auth0 ID_Token but I cannot find a way to do. As of now I can only I can see the user info on the screen. Any hints?

thanks lot.

Hi Banto,

To be precise, in the auth code flow, after authentication, the callback URL receives a code, not an ID token. It then exchanges the code (In the passport call you list) for tokens.

There is a function in the strategy that receives the token, that is where you get the tokens.


thanks @john.gateley for clarification.
But still I would like to know how the WepApp app (server) can show me the ID Token.


thanks I have found that function indeed!

Last question: I see that the IDToken contains claims coming from GitHub (like my nickname) however the issuer claim contains “auth0”. Again, does it mean that the token from GitHub is exchanged (by Auth0) with another one signed by Auth0? Which is the one that ultimately the user app receives, right?


That is correct. You can see this by making a rule which extends the access token (or ID token) and then examining the result. For example, I used this rule:

function (user, context, callback) {
// TODO: implement your rule
context.accessToken[‘’] = ‘sample roles’;
return callback(null, user, context);

I would caution about being careful about the differences between access tokens, ID tokens, and refresh tokens. They have very different purposes. See the docs here:

Also note that you can get access tokens to access GitHub’s API


I have tried to change the token and indeed I can add claims.

But I have a doubt: any modification at the token shouldn’t be done before the token is signed, otherwise the signature is broken? At which point in code you change the token?

Please advice.