Decode access token in backend


I implemented the authentication in the front end as such :

userLogin: function() {    
    let deferred = new Ext.Deferred();
    //Create auth0 client
    //TODO ADA : move domain and client_id to auth_config.json
      domain: "domain",
      client_id: "clientId",
      audience: "audience",
      useRefreshTokens: true
    }).then(function(auth0) {
        try {
            auth0.isAuthenticated().then(async function (authenticated) {
                if (!authenticated) {
                    const query =;
                    const shouldParseResult = query.includes("code=") && query.includes("state=");
                    if (shouldParseResult) {
                        console.log("> Parsing redirect");
                        try {
                            const result = await auth0.handleRedirectCallback();
                            console.log("Logged in!");
                        } catch (err) {
                            console.log("Error parsing redirect:", err);
                        window.history.replaceState({}, document.title, "/");
                    } else {
                        auth0.loginWithRedirect({ redirect_uri: window.location.origin });
                } else {
                    auth0.getTokenSilently().then(function (token) {
                        Ext.Ajax.setDefaultHeaders({ 'Authorization': 'Bearer ' + token });
        } catch (err) {
            console.log("Log in failed", err);

    return deferred.promise;

And I configured my API using this doc :

var domain = $"domain";
var apiIdentifier = "identifier";
var keyResolver = new OpenIdConnectSigningKeyResolver(domain);

    new JwtBearerAuthenticationOptions
        AuthenticationMode = AuthenticationMode.Active,
        TokenValidationParameters = new TokenValidationParameters()
            ValidAudience = apiIdentifier,
            ValidIssuer = domain,
            IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => keyResolver.GetSigningKey(kid)

Now I need to Identify my user in the back end to load his preferences etc.
How can I do this?

I tried to decode the token ( but it seems to be empty or malformed.


Hello @AnthonyDaSilva!

Interesting - Can you confirm you are passing a valid audience? Without that, the access token you get back can be opaque.

It sounds like you will either want to look at getting an ID token or using the access token received to call /userinfo. Both are valid approaches :smile:

Hello @tyf,

I changed the audience and now the decoding is working. :slight_smile:
For the user info, I implemented the /userinfo call but it seems it’s not the proper way of doing it as I’m reaching the request limit pretty easily (The remote server returned an error: (429) Too Many Requests.).

How can I get the ID Token ?

1 Like

Sorry for the delayed response here, but wanted to follow up!

Awesome, good to know this is working for you now :smile:

Were you able to get this sorted? An ID token should be returned if you include the openid scope as a param alongside domain, client_id etc.

Hi tyf,

I managed to add the user email in the access token and it’s working, but I have another question, the parameter name for the rule is ‘Http://’ and if I change it disappear from the access token.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.