Auth0 Home Blog Docs

Authentication API /userinfo missing the user_id

authentication_api
user_id

#1

Hi. I have setup a working webapp to authenticate users with auth0 using Facebook and Google. Everything seem ok but the user_id is always missing or undefined in user profile, both in the webapp callback *(using passport-js) as well in the direct API call.
Please see it yourself:

curl --request GET \
  --url 'https://airwork.eu.auth0.com/userinfo' \
  --header 'authorization: Bearer 16TtWVnZPLjR61UwslPP6-K_bWXUEekS' \
  --header 'content-type: application/json'

Any idea what is going on? Thanks.


#2

for instance, the output of that curl call is the same I get using the auth0 authentication client in nodejs, using the same webapp id and secret:

var AuthenticationClient = require('auth0').AuthenticationClient;
var auth0 = new AuthenticationClient({
  domain: 'airwork.eu.auth0.com',
  clientId: WEBAPP_ID,
  clientSecret: WEBAPP_SECRET
});    
auth0.getProfile('16TtWVnZPLjR61UwslPP6-K_bWXUEekS')
.then(response => {
  console.log(response)
})
.then(error => {
  console.error(error)
})

#3

@daniele I slightly redacted the access token (if you wish you can further redact it yourself or update the question/comment to not include it). Have in mind that editing it may still leave the original one in revisions history so next time consider not posting the real access token and just include the response you obtained (ideally after redacting any info you deem sensitive).


#4

The user identifier should be included in the subclaim, if that claim is not present then ensure that you’re including openid as one of the scope values. If that is not the underlying issue more information may be required about client application settings used to obtain the access token for user information endpoint.


#5

Is it safe to assume sub as the user_id information ?


#6

In this case it is safe to assume sub will contain a stable user identifier that uniquely identifies the user within the scope of the identity provider (the Auth0 service) as that it’s what the OIDC specification mandates. At this time, the sub claim is filled with the user_id information and is unlikely to change, but the most useful characteristics are the ones mandated by the spec; unique and stable (does not change across the lifetime of the end-user account).


#7