Claims coming from user profile disappear after token is requested again via the implicit flow

Hi

I have a user in an Auth0 tenant that has the given_name and family_name profile attributes configured via the User Management API.

When I request a token for this user via the implicit flow the first time I get following claims:

{
  "example.com/favorite_color": "test",
  "example.com/test": "test",
  "given_name": "John",
  "family_name": "Smith",
  "nickname": "john",
  "name": "John Smith",
  "picture": "...",
  "updated_at": "2020-01-22T14:04:03.985Z",
  "email": "john.smith@example.com",
  "email_verified": true,
  "iss": "....",
  "sub": "auth0|5e26be6c21830d0f1b68643e",
  "aud": "dWvjaYXGm51KzW8R17bT1spiZQjSjUsi",
  "iat": 1579701844,
  "exp": 1579737844,
  "nonce": "NONCE"
}

(the "example.com/… claims come from a rule).

That’s working fine. However if I send another request via the implicit flow in the same browser session I get following claims:

{
  "example.com/favorite_color": "test",
  "example.com/test": "test",
  "iss": "....",
  "sub": "auth0|5e26be6c21830d0f1b68643e",
  "aud": "dWvjaYXGm51KzW8R17bT1spiZQjSjUsi",
  "iat": 1579702006,
  "exp": 1579738006,
  "nonce": "1234"
}

all the user profile claims are gone. Only the core claims and the claims coming from the rule

Note that this is not some kind of odd scenario. If a single page application is force-reloaded via the refresh button then it has no other choice but to request a new token via the authorization end point.

Why is this happening and how can I prevent it?

Best regards
Vasil

Hi @vpanushev,

This is unusual. Can you show us the code you are using to make these 2 calls?

Thanks,
Dan

Hi @dan.woda

I’m testing with plain browser. The redirect URI of the client is https://jwt.ms which just pretty-prints the received JWT.

Best regards
Vasil

It looks like the second token is coming back without the profile claims.

This doc talks about the profile scope and the associated claims.

edit: I see you are just making the call directly

Okay I tested this and you can get the profile claims if you add scope=openid profile email.

I used this request and had it working:

https://{YOUR DOMAIN}.eu.auth0.com/authorize?scope=openid%20profile%20email&response_type=id_token&client_id={YOUR CLIENT ID}&redirect_uri=https://jwt.ms/&nonce=NONCE

Yep - I can confirm that this is working. Completely forgot about the scope parameter and since it worked with the first time, I didn’t double-check the URL.

Thank you very much!

Best regards
Vasil

1 Like

Glad it is working for you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.