Auth0 Home Blog Docs

Authorize your APIs by logged in User

user
authorize
authorize-endpoint
log-in

#1

I have a regular web application and one custom API.

I have authenticated user using AUth0 and now want to Authorize API with this logged-in user.

I am trying to implement OIDC here.
I have enabled OIDC in advance settings, and tried sending access_token and id_token both in header Bearer but no luck in Authorizing.

Can you please explain, what to do?


#2

If you haven’t done so already you should read the reference documentation on how to setup a server-side web application to call into an API (aka resource server) while following the OIDC and OAuth2 protocols.

In addition, if your technologies are covered by the available quickstarts you should follow the code for the ones that apply to your case:

In conclusion, first you get the access token and then you call your API; if your API is rejecting the access token then you either did not request a suitable access token or the API is configured incorrectly. In either case, the amount of information provided is not enough to even try to guess the possible root cause.


#3

I did it this way reference documentation, but this is the access_token against a client in auth0 and not a user.
I wanted to authorize API with user access_token so that I can access claims of user in my API.

With access_token of client I cannot access Identity Claims of logged in user in my API.


#4

I did it this way reference documentation, but this is the access_token against a client in auth0 and not a user.
I wanted to authorize API with user access_token so that I can access claims of user in my API.

With access_token of client I cannot access Identity Claims of logged in user in my API.


#5

The linked reference documentation is for the authorization code grant; this grant implies the presence of the end-user and the issued token represents the grant that the end-user provided to the client application as means to provide actions on their behalf. Within the access token (which is currently a JWT) there will a sub claim that contains the user identifier. If you need more information, you can use custom claims.


#6