Auth0 getUserInfo does not return all user data

I’m implementing Auth0’s OIDC Conformant Authentication. I’m attempting to secure my custom ASP.Net WebAPI. I’ve registered my custom API and adjusted my Lock settings to include an audience value so the resulting accessToken is a valid Json Web Token (JWT). I’m successful with this and my user is authenticated and can get to the secure endpoints in my custom API. All is good, except I’m only able to get a subset of data from lock.getUserInfo(authResult.accessToken, (error, profile){}. It’s my understanding getProfile (which uses idToken) is now deprecated in favor of getUserInfo which uses the accessToken to retrieve user data from Auth0.

Calling lock.getUserInfo(authResult.accessToken, (error, profile){} returns the following user information only:

  • email
  • email_verified
  • sub

I’m thinking I’m missing a setup thing which is preventing additional data about the authenticated user from being returned from Auth0 via lock.getUserInfo(authResult.accessToken, (error, profile){}.

Any insight as to what I need to do to return more data about the user please? Thanks for your help.

When doing a request in accordance with OIDC only the standard claims that were requested will be included in the ID token and returned as part of the user information endpoint. You can request standard claims using specific values provided in the scope parameter.

Based on the claims that you mention that are being included it’s likely that you performed your request with a scope containing openid and email. If you need additional information you may consider including also the profile value as that would mean most of the standard information, if available, would be returned.

It’s also possible to include custom information in the issued ID token by means of custom claims; this would cover scenarios where some of the information you need is not standard. For reference information on how to accomplish this check the Custom Claims section of the scopes related documentation.

Thanks for reply. adding ‘profile’ to scope did return more information, however, not all the information that was returned from the deprecated getProfile. Calling getProfile with idToken returned profile data but also included ‘identities’ which is a collection of other identities for the user known to Auth0. I tried adding ‘identities’ as a scope value, but that didn’t work. Do you know how to return Auth0’s known identities for the logged in user?

In general, addition information would be added as custom claims. However, for sensitive information which is the case for some of the information contained within the identities array it’s not recommended to expose that information directly in the token or user info endpoint.

If the data you need from identities is sensitive, like access tokens, the check the recommended procedure to obtain it; otherwise, include the non-sensitive parts of it as custom claims (the process, involving a rule, is described in the docs I linked to in the answer).

The identities meta-data is part of Auth0’s Normalized User Profile . Each identity in the array just lists identities of the user that Auth0 knows about. It contains data like connection, isSocial, provider, and userId. It does not contain sensitive data like access tokens.
Auth0 has deprecated getProfile which uses idToken to retrieve user profile. Auth0 now uses getUserInfo based on claims, however, ‘profile’ claim does not return identities.

Hi:
I am stuck in a similar scenario. Did you find a solution?
Thank you.