Confusion on /userinfo vs. /api/v2/users/{id} apis

None of the java flows work as I was adding to an opensource project webpieces (ie. this is all ‘backend server code’) which is working now except for I would like to get the google token to talk to the gmail api or any google api.

The current flow is redirecting to this which sends back to a /callback url →

	String url = "https://"+domain+"/authorize" +
			"?response_type=code" +
			"&client_id=" + auth0Config.getClientId() +
			"&scope=" + urlEncodedScope +
			"&redirect_uri="+ urlEncodedCallbackUrl.get();

My current scopes are “openid profile email phone”

This is working and I currently call /userinfo for token validation. It seems like /api/v2/users/{id} might validate the token for us as well (and we need the user info anyways).

The only issue being is I have no {id} parameter. How do I get /api/v2/users/{id} of the current user but I do not have the {id} to do that such that I can follow this document to interact with the gmail api??

I am simply missing this {id} though seems like I should not need it somehow. Is there another endpoint that simply uses my access token or is there a library to parse the access token for the {id} somehow?

I was reading this article as well trying to parse the access token. When I use the website it links(, it says invalid access token, BUT when I cut/paste the json to generate the token, it gives me an accesstoken just fine. I don’t understand how auth0 is giving an access token that can’t be parsed when there is docs talking about accesstoken. This is so confusing here.

Hey there @dean2 sorry for the delayed response here!

The {id} is equivalent to the sub claim in either an ID or access token.

It’s possible you are receiving an opaque access token if you aren’t passing an audience param in the /authorize request - The following FAQ(s) may be helpful:


awesome info!! thank you

Adding audience param to /authorize, I got access denied. That seems odd as docs say it can be anything. Oh, I found another doc and added the management api id from my dashboard and now I get code and state on the callback. **I seem to recall the code should be a JWT token? but it is not even after doing the audience? **

In addition, (perhaps I should open a new question though it seems so related and part of same thread?) Is there no way to get the ‘sub’ as part of the callback with the token to eliminate a remote call OR to get the google oauth token as part of my next call to get the sub?

It seems very odd that I have to

  1. receive callback
  2. call code to tokens /oauth/token - for web application (myapp)
  3. call user api to get the ‘sub’ - /userinfo
  4. call remote to get access token to access mgmt api - /oauth/token - for machine to machine (myapp)
  5. call mgmt api to get the google auth token - /api/v2/users/{userId or sub}’
  6. call a google api to get an api access token(I think - trying to figure this out)
  7. finally call the gmail api to do our business operation stuff

It would be nice to eliminate steps 2 and 3 and 4 and 5 so I just have a single remote call. or am I forced to do all those calls? I can probably put call #5 on a loop I guess every 24 hours to refresh it to be ready for anyone to call into the server. It seems like #5 data should be able to come from the #3 request but does not seem to be there?

It is odd to me that I had to create TWO apps in auth0 when I just have one server cluster called myapp. I had to create a web appliation and a machine to machine so my cluster has two app ids in auth0 when I would much prefer to have just 1 for less configuration per environment.


Happy to help!

The sub claim is available in a user’s access token and/or ID token so you shouldn’t need to make any additional call.

You’ll want to take a look at this documentation regarding Identity Provider Access Tokens - A user’s profile will have an Identities array with the IDP access tokens.

@tyf odd, I do not see identities in the documentation for /userinfo endpoint → Authentication API Explorer

Isn’t that endpoint returning the user profile you talk about? (If so, I could skip then getting a mgmt api token and then calling into that api for user profile when I already called into the other one for user profile) however the docs only list these fields →

“sub”: “248289761001”,
“name”: “Jane Josephine Doe”,
“given_name”: “Jane”,
“family_name”: “Doe”,
“middle_name”: “Josephine”,
“nickname”: “JJ”,
“preferred_username”: “j.doe”,
“profile”: “”,
“picture”: “”,
“website”: “”,
“email”: “”,
“email_verified”: true,
“gender”: “female”,
“birthdate”: “1972-03-31”,
“zoneinfo”: “America/Los_Angeles”,
“locale”: “en-US”,
“phone_number”: “+1 (111) 222-3434”,
“phone_number_verified”: false,
“address”: {
“country”: “us”
“updated_at”: “1556845729”

1 Like

Hey @dean2 !

I was referring to the /api/v2/users endpoint (Management API) referred to in Identity Provider Access Tokens documentation. That is the only way you’ll be able to retrieve an external IDP access token for a user.

Hope this helps to clarify!