Claims coming from user profile disappear after token is requested again via the implicit flow

vpanushev · January 22, 2020, 2:12pm

Hi

I have a user in an Auth0 tenant that has the given_name and family_name profile attributes configured via the User Management API.

When I request a token for this user via the implicit flow the first time I get following claims:

{
  "example.com/favorite_color": "test",
  "example.com/test": "test",
  "given_name": "John",
  "family_name": "Smith",
  "nickname": "john",
  "name": "John Smith",
  "picture": "...",
  "updated_at": "2020-01-22T14:04:03.985Z",
  "email": "john.smith@example.com",
  "email_verified": true,
  "iss": "....",
  "sub": "auth0|5e26be6c21830d0f1b68643e",
  "aud": "dWvjaYXGm51KzW8R17bT1spiZQjSjUsi",
  "iat": 1579701844,
  "exp": 1579737844,
  "nonce": "NONCE"
}

(the "example.com/… claims come from a rule).

That’s working fine. However if I send another request via the implicit flow in the same browser session I get following claims:

{
  "example.com/favorite_color": "test",
  "example.com/test": "test",
  "iss": "....",
  "sub": "auth0|5e26be6c21830d0f1b68643e",
  "aud": "dWvjaYXGm51KzW8R17bT1spiZQjSjUsi",
  "iat": 1579702006,
  "exp": 1579738006,
  "nonce": "1234"
}

all the user profile claims are gone. Only the core claims and the claims coming from the rule

Note that this is not some kind of odd scenario. If a single page application is force-reloaded via the refresh button then it has no other choice but to request a new token via the authorization end point.

Why is this happening and how can I prevent it?

Best regards
Vasil

dan.woda · January 22, 2020, 10:08pm

Hi @vpanushev,

This is unusual. Can you show us the code you are using to make these 2 calls?

Thanks,
Dan

vpanushev · January 23, 2020, 7:28am

Hi @dan.woda

I’m testing with plain browser. The redirect URI of the client is https://jwt.ms which just pretty-prints the received JWT.

Best regards
Vasil

dan.woda · January 23, 2020, 5:21pm

It looks like the second token is coming back without the profile claims.

This doc talks about the profile scope and the associated claims.

edit: I see you are just making the call directly

dan.woda · January 23, 2020, 6:04pm

Okay I tested this and you can get the profile claims if you add scope=openid profile email.

I used this request and had it working:

https://{YOUR DOMAIN}.eu.auth0.com/authorize?scope=openid%20profile%20email&response_type=id_token&client_id={YOUR CLIENT ID}&redirect_uri=https://jwt.ms/&nonce=NONCE

vpanushev · January 24, 2020, 8:06am

Yep - I can confirm that this is working. Completely forgot about the scope parameter and since it worked with the first time, I didn’t double-check the URL.

Thank you very much!

Best regards
Vasil

dan.woda · January 24, 2020, 8:35pm

Glad it is working for you!

dan.woda · February 8, 2020, 8:45pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to refresh my claims Help apis , application	2	303	April 9, 2024
Rule with blank namespace stopped working for two days then started working again Help	4	4313	April 20, 2020
Storing custom claims in Auth0 JWT? Help jwt , tier1 , claims	4	4488	March 2, 2018
Unable to Retrieve Value of 'scope' claim in JWT Help user-profile , user-management	2	289	February 29, 2024
Retrieving 'identities' claim in id_token on username/password login Help id_token , login , claim	4	5357	March 2, 2018

Claims coming from user profile disappear after token is requested again via the implicit flow

Related Topics