Auth0 returns a stale userInfo

georgii.rychko · July 11, 2018, 8:19am

This issue is very similar to

and

Here is my use case:

A user changes its profile
Changes get sent to Auth0 using Auth0 Management API v2
Then I reload my SPA
SPA fetches data from the userInfo endpoint using token stored in local storage
userInfo response contains stale data (the one that existed before the user was patched)
Though when I go to Users section (in Auth0 admin panel) - the user I’ve patched has the latest changes.

In my case, the userInfo object has a metadata section which contains user’s lastname and firstname. And this is the section which has a stale data when accessing it using the userInfo endpoint.

Carlos_Mostek · July 11, 2018, 5:15pm

This is intentional behavior. The /userinfo endpoint contains information about the last authentication. You will not get new information until the next authentication request.

Carlos_Mostek · July 11, 2018, 9:04pm

One other thing you can do is use the Management API to get new user information. To do this you would have to proxy the call to the management API through your own API so that you can use client credentials to get a Management API token to get the data about the user that is the latest.

georgii.rychko · July 12, 2018, 7:36am

Now it is clear. I guess it would be very convenient to say about this behavior explicitly in the docs.

georgii.rychko · July 12, 2018, 7:37am

Thanks for the Management API advice!

andrej.developer · January 7, 2019, 6:45am

What is then the “intention” purpose of this endpoint? Why would anyone call this endpoint, if not to get current user profile? (at the time of authentication we can get user information in claims don’t need another call)

If this endpoint returns “information about last authentication” it should not be called “userinfo” (misleading name)
None of this “intent” or use is even mentioned in documentation that states:

to obtain the user’s profile

suggestion to get the actual user profile through 2 hoops of API/Management API instead of single call to the source of information is cumbersome at best.

Carlos_Mostek · January 8, 2019, 3:56pm

I hear what you are saying :). /userinfo does seem like a pointless endpoint because it generally is. There are few cases where it is necessary. It exists because it is part of the OIDC specification, but the fact is that 99% of the time it is better to just grab the information from claims inside the ID token and save yourself an extra API call entirely.

The Auth0 behavior for this endpoint exists because you can set custom claims that are defined when you run rules. Rules only run as part of generating new tokens. Since the information from /userinfo must match the information in the ID token, the only way to generate those custom values would be to run rules again. So, if you want to update /userinfo, you need to call /authorize again to refresh the authentication session.

All that being said, you also make a great point about this needing clarification on our docs page. I’ll send this over to the docs team.

system · February 11, 2019, 5:06pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.