Custom Enterprise Connection requires actual call to /userinfo

Hello,

After a helpful reply to my last challenge, I thought I’d make another thread for this.
I’ve set up a custom Enterprise Connection using OIDC, and login is working perfectly fine. However, I’m not getting any information from any of the scopes I’ve authorized (I was able to get this information from a manual implementation, but not through Auth0), and I believe I’ve finally found a clue to a fix, but I’m not sure how to best implement it.

According to The OIDC Enterprise Connection docs, Auth0’s custom Enterprise Connections do not make actual calls to the /userinfo endpoint to request information available through the authorized scopes.

Note that the connection does not call /userinfo endpoint and expects the user claims to be present in the id_token .

This works fine for my Social Google connection, I get the information I expect from my scopes, but not from this Enterprise Connection.
So, my question is as follows:

How can I enforce a call to this /userinfo endpoint from inside Auth0 for user information in authorized scopes, for only this specific OIDC connection?

I would highly appreciate any suggestions and guidance.
Best regards,
Johannes

I’m afraid that within the scope of an enterprise OIDC connection this would not be possible at this time as there’s no way to configure the connection to call /userinfo. I would recommend leaving this feedback through auth0.com/feedback if you haven’t done so already.

As a currently available alternative, you could technically integrate the same provider through a custom social OAuth 2.0 connection (https://auth0.com/docs/connections/social/oauth2) which would allow you to return user profile information based on a request to the user information endpoint, however, there would be differences in terms of experience as the different connection types imply other considerations in terms of features.

Thanks to João Angelo (@jmangelo)'s very helpful suggestion, I was able to solve this issue using the Custom Social Connection extension. With it, I was able to set up the basic endpoints like authorization and token endpoints, but also add a custom script for calling the IdP’s /userinfo API, and normalize the output.

My Fetch User Profile script ended up looking something like this:

function(access_token, ctx, callback) {
  const request = require('request');
  const userinfoEndpoint = "https://auth.domain.com/openid/userinfo";
  request.get(userinfoEndpoint, {
    'headers': {
      'Authorization': 'Bearer ' + access_token
    }
  }, function(e, r, b) {
    if (e) {
      return callback(e);
    }
    if (r.statusCode !== 200) {
      return callback(new Error('StatusCode:' + r.statusCode));
    }
    const response = JSON.parse(b);
    const profile = {
    	"user_id": response.sub,
    	"email": response.email,
    	"name": response.name
    };
    callback(null, profile);
  });
}

Hopefully, if anyone else bumps into a provider that doesn’t return the expected claims in their id_token, they can also solve this using this extension and a quick fetch script. I do, however, wish there was an “Enforce /userinfo call” option in the Enterprise Connections. I’ve left feedback about my use case for Auth0 in the appropriate channel, so the rest is up to them.

Thank you again, João Angelo.

1 Like

Thanks for sharing the sample code for the benefit of others.