I implemented the Auth0 using Auth0 Python SDK Quickstarts: Login
From the successful login page, I am able to view the the following :
{
"access_token": "xxx",
"expires_at": 1657696308,
"expires_in": 86400,
"id_token": "xxx",
"scope": "openid profile email",
"token_type": "Bearer",
"userinfo": {
"aud": "a6GNX8ifpOrWovu9NakUp4Sxz0kqdJul",
"email": "gerardsho@gmail.com",
"email_verified": true,
"exp": 1657645903,
"iat": 1657609903,
"iss": "https://randomsilver.us.auth0.com/",
"name": "gerardsho@gmail.com",
"nickname": "gerardsho",
"nonce": "vumVyni7iVWzB7HRoAmY",
"picture": "https://s.gravatar.com/avatar/1d847a5259fe55eb7c84f439e5f00277?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fge.png",
"sub": "auth0|62c45daf67fdea356d28bad4",
"updated_at": "2022-07-11T19:34:14.775Z"
}
}
What I would like to know is that if I access the raw login page from :
https://{AUTH0_DOMAIN}/authorize?audience={API_AUDIENCE}&response_type=token&client_id={CLIENT_ID}&redirect_uri={CALLBACK_URI}
I would see a token at the end of the url, upon successful login.
I found that this token neither fits in any of tokens shown in the successful login page configured above in the first method. Mainly, when I decoded via the jwt.io, it seems like the token from the second method is more complete, containing the permission rights. Kindly shed some light on this.