I am trying to integrate auth0 with one of JS client(jquery) and couple of web api’s(asp.net core web api).
Let me brief you what i am up to.
- I have created a client (JQuery) and using it to login on auth0 and it returns me a access token.
- Now i need to access couple of other Web APIs(those are also registered as client at my auth0 account).
- I have created 2 scopes in API client.
- When i am requesting access_token from auth0 in JS App, I am sending those two scopes in scope parameter in Auth0Lock function.
- With the token returned, i am calling the APIs by passing token in header as described in documentation.
- In API side, i am first checking whether token contains specified scope with one of the policies registered in start.up file in my core web api.
- That is working fire,
My question is that the process i am following is the correct one ?
Lets say i have to access another api with that same token, then i need to verify the token at API end for the scope specified.
Please confirm.
My second question is that when i try to access claims from token in my API, there is not much information in this. Ideally i would like to get email and user name from token and later on i would also like to add custom token whenever required.
what is the process for that ?
Let me know if there is something not making sense here.
My question is that the process i am
following is the correct one ? Lets
say i have to access another api with
that same token, then i need to verify
the token at API end for the scope
specified.
Correct. Your API will need to verify the scopes present in the access_token. The following doc outlines how this should be done in WebAPI (Owin):
https://auth0.com/docs/quickstart/backend/webapi-owin/01-authorization#configuring-scopes
My second question is that when i try
to access claims from token in my API,
there is not much information in this.
Ideally i would like to get email and
user name from token and later on i
would also like to add custom token
whenever required.
I don’t quite understand what you mean by and later on i would also like to add custom token whenever required.
Do you mean you would like to add additional claims to the access token? If so, take a look at the following:
Thanks Lets say , i need to add some information to access_token, then i should i this by adding a new rule and doing it like,
function (user, context, callback) { const namespace = ‘https://myapp.example.com/’; context.accessToken[namespace + ‘favorite_color’] = user.favorite_color;
callback(null, user, context); }
Is it the way to proceed ?
Thanks for the help
I have added offline_access to scopes in my JS(jquery client) for refresh token but refresh token always being returned as undefined.
What else i need to configure to get refresh token along side access token.
options passed to Auth0lock are
var options = {
response_type:'token',
auth: {
params:
{
scope: 'openid offline_access profile',
audience: 'http://localhost:13791',
device:"my-device"
}
}
};
@anit.kumar In order to keep the forum useful to other members of the community who are searching for answers, we want to prevent addressing two different questions in a single post. Please create a separate post for the above question. Also, please include a HAR file of your request: Generate and Analyze HAR Files. Please remember to remove any passwords or sensitive information from the file before sending it through.