Claims in access token Auth0

I am trying to integrate auth0 with one of JS client(jquery) and couple of web api’s(asp.net core web api).

Let me brief you what i am up to.

  1. I have created a client (JQuery) and using it to login on auth0 and it returns me a access token.
  2. Now i need to access couple of other Web APIs(those are also registered as client at my auth0 account).
  3. I have created 2 scopes in API client.
  4. When i am requesting access_token from auth0 in JS App, I am sending those two scopes in scope parameter in Auth0Lock function.
  5. With the token returned, i am calling the APIs by passing token in header as described in documentation.
  6. In API side, i am first checking whether token contains specified scope with one of the policies registered in start.up file in my core web api.
  7. That is working fire,

My question is that the process i am following is the correct one ?
Lets say i have to access another api with that same token, then i need to verify the token at API end for the scope specified.

Please confirm.

My second question is that when i try to access claims from token in my API, there is not much information in this. Ideally i would like to get email and user name from token and later on i would also like to add custom token whenever required.

what is the process for that ?

Let me know if there is something not making sense here.

My question is that the process i am
following is the correct one ? Lets
say i have to access another api with
that same token, then i need to verify
the token at API end for the scope
specified.

Correct. Your API will need to verify the scopes present in the access_token. The following doc outlines how this should be done in WebAPI (Owin):

https://auth0.com/docs/quickstart/backend/webapi-owin/01-authorization#configuring-scopes

My second question is that when i try
to access claims from token in my API,
there is not much information in this.
Ideally i would like to get email and
user name from token and later on i
would also like to add custom token
whenever required.

I don’t quite understand what you mean by and later on i would also like to add custom token whenever required. Do you mean you would like to add additional claims to the access token? If so, take a look at the following:

Thanks Lets say , i need to add some information to access_token, then i should i this by adding a new rule and doing it like,

function (user, context, callback) { const namespace = ‘https://myapp.example.com/’; context.accessToken[namespace + ‘favorite_color’] = user.favorite_color;

callback(null, user, context); }

Is it the way to proceed ?

@anit.kumar correct

Thanks for the help
I have added offline_access to scopes in my JS(jquery client) for refresh token but refresh token always being returned as undefined.

What else i need to configure to get refresh token along side access token.

options passed to Auth0lock are

var options = {

        response_type:'token',
    auth: {
      
        params:
            {
                scope: 'openid offline_access profile',
                audience: 'http://localhost:13791',
                device:"my-device"
            }

    }
};

@anit.kumar In order to keep the forum useful to other members of the community who are searching for answers, we want to prevent addressing two different questions in a single post. Please create a separate post for the above question. Also, please include a HAR file of your request: Generate and Analyze HAR Files. Please remember to remove any passwords or sensitive information from the file before sending it through.