I have a custom rule which is used by both api calls and standard web app calls.
I am adding additional attributes to the tokens, but how do I determine whether to add it to the idToken or the accessToken?
e.g.
context.accessToken['https://namespace'] = response;
context.idToken['https://namespace'] = response;
Can you use a switch case if statement to determine if it was an API call or a standard web app login? Or is it ok to simply add to both?
e.g.
if(context.request.query.response_type === 'code'){
context.idToken['https://namespace'] = response;
}
The docs in the following link state that I should be able to use the access token in my web app…
but I am also reading that web application auth should use the id token and not an access token:
" Access tokens must never be used for authentication. Access tokens cannot tell if the user has authenticated."
This is a regular ruby on rails web app using the omniauth auth0 gem and the access token does not contain any claims when it comes back from auth0 - it just has a small string as a token.
The idToken is populated however.
Thanks