Best practice to find a user in my API database from a verified JWT access token

duncanmcleod972 · June 22, 2021, 7:43pm

Hi everyones,

My goal in one sentence:
Find an existing user in my API database from a verified JWT access token
(I mean here : Find the user who send the current request)

What I have done and it works :

I have a basic web application where my frontend ask for an accessToken and store it into the local storage.

const accessToken = await this.auth0Client.getTokenSilently();
localStorage.setItem('accessToken', accessToken);

Then this token is inserted as an authorization header with all the requests sended to my personal API

I also added a rule into the auth0 web interface, thus I can retreive the email into the accessToken.

function (user, context, callback) {  
  context.accessToken['https://mynamespace.com/email'] = user.email;
  context.accessToken['https://mynamespace.com/email_verified'] = user.email_verified;

  return callback(null, user, context);
}

All of this works but seems complicated to me, I feel I am missing some points here, am I ?
Is this follow the best practices ?
I have read here it is not a good practice to store email into access token, is that true ?

Thank you for your answers !

stephanie.chamblee · June 23, 2021, 1:30pm

Hi @duncanmcleod972,

Welcome to the Community!

The Access Token’s sub claim is the Auth0 user ID. One way you could handle this is by updating your DB to include a foreign key for the Auth0 user ID so that you can look up the user using the Access Token’s sub claim.

You can also retrieve additional profile info by calling the /userinfo endpoint from your backend, using the Access Token in the Authorization header as a bearer token.

Our docs offer info on why only the user ID is included in the Access Token:

Note that the token does not contain any information about the user besides their ID ( sub claim). It only contains authorization information about which actions the application is allowed to perform at the API ( scope claim). This is what makes it useful for securing an API, but not for authenticating a user.

duncanmcleod972 · June 23, 2021, 11:36pm

This totally make sense ! Thanks a lot for your answer

system · July 8, 2021, 11:36pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.