None of the java flows work as I was adding to an opensource project webpieces Auth0Plugin.java (ie. this is all ‘backend server code’) which is working now except for I would like to get the google token to talk to the gmail api or any google api.
The current flow is redirecting to this which sends back to a /callback url →
My current scopes are “openid profile email phone”
This is working and I currently call /userinfo for token validation. It seems like /api/v2/users/{id} might validate the token for us as well (and we need the user info anyways).
The only issue being is I have no {id} parameter. How do I get /api/v2/users/{id} of the current user but I do not have the {id} to do that such that I can follow this document to interact with the gmail api??
I am simply missing this {id} though seems like I should not need it somehow. Is there another endpoint that simply uses my access token or is there a library to parse the access token for the {id} somehow?
I was reading this article as well trying to parse the access token. When I use the website it links(jwt.io), it says invalid access token, BUT when I cut/paste the json to generate the token, it gives me an accesstoken just fine. I don’t understand how auth0 is giving an access token that can’t be parsed when there is docs talking about accesstoken. This is so confusing here.
Hey there @dean2 sorry for the delayed response here!
The {id} is equivalent to the sub claim in either an ID or access token.
It’s possible you are receiving an opaque access token if you aren’t passing an audience param in the /authorize request - The following FAQ(s) may be helpful:
Adding audience param to /authorize, I got access denied. That seems odd as docs say it can be anything. Oh, I found another doc and added the management api id from my dashboard and now I get code and state on the callback. **I seem to recall the code should be a JWT token? but it is not even after doing the audience? **
In addition, (perhaps I should open a new question though it seems so related and part of same thread?) Is there no way to get the ‘sub’ as part of the callback with the token to eliminate a remote call OR to get the google oauth token as part of my next call to get the sub?
It seems very odd that I have to
receive callback
call code to tokens /oauth/token - for web application (myapp)
call user api to get the ‘sub’ - /userinfo
call remote to get access token to access mgmt api - /oauth/token - for machine to machine (myapp)
call mgmt api to get the google auth token - /api/v2/users/{userId or sub}’
call a google api to get an api access token(I think - trying to figure this out)
finally call the gmail api to do our business operation stuff
It would be nice to eliminate steps 2 and 3 and 4 and 5 so I just have a single remote call. or am I forced to do all those calls? I can probably put call #5 on a loop I guess every 24 hours to refresh it to be ready for anyone to call into the server. It seems like #5 data should be able to come from the #3 request but does not seem to be there?
It is odd to me that I had to create TWO apps in auth0 when I just have one server cluster called myapp. I had to create a web appliation and a machine to machine so my cluster has two app ids in auth0 when I would much prefer to have just 1 for less configuration per environment.
The sub claim is available in a user’s access token and/or ID token so you shouldn’t need to make any additional call.
You’ll want to take a look at this documentation regarding Identity Provider Access Tokens - A user’s profile will have an Identities array with the IDP access tokens.
Isn’t that endpoint returning the user profile you talk about? (If so, I could skip then getting a mgmt api token and then calling into that api for user profile when I already called into the other one for user profile) however the docs only list these fields →
I was referring to the /api/v2/users endpoint (Management API) referred to in Identity Provider Access Tokens documentation. That is the only way you’ll be able to retrieve an external IDP access token for a user.