Django Rest Framework and Auth0 integration (adding /userinfo)

Hi, I am integrating Auth0 into the Django Rest Framework, have followed the quickstart tutorial and everything works fine. What I need to do is extend this to obtain data from auth0/userinfo and I am not quite sure where to inject this logic. Ideally I would do it from jwt_get_username_from_payload_handler(), however this function does not receive access to the token (only the payload) and so there is no way to make a request to /userinfo.
Thanks for any insights on this.

def jwt_get_username_from_payload_handler(payload):
username = payload.get(‘sub’).replace(‘|’, ‘.’)
authenticate(remote_user=username)
return username

Good morning @trackers153, I hope you had a great holiday!

The below doc dives into leveraging the /userinfo, please give it a peek and let me know if it helps you on your journey :slight_smile:

https://auth0.com/docs/api/authentication#get-user-info

Thanks for pointer (which I had seen) but I am not sure how that answers my question. To reiterate, I am able to obtain /userinfo by hand (e.g. CLI), but I don’t know how to incorporate that functionality into the rest API framework. The tutorial you have does not cover /userinfo.

As we investigate this to give a deeper working example, what version of Django do you use?

We use v3+ of Django but the quick start guide that you have (using Django v2, I believe) was completely adequate to get things up and running. So not looking for anything based on Django 3 per se, but more of a working example that shows the general mechanics.

Hi, wanted to follow up on this. Alternatively, is there a way to configure Auth0 in a such a way as to include the user’s email in the authorization token’s payload, maybe within the ‘sub’ key ?
I don’t know the security implications of doing this, but would save on the extra request to /userinfo.

“sub”: “auth0|5fe
”

Thanks for following up on this! Also you should be able to leverage scope to pull the email if you are specifically looking for that resource.

Thanks. While I am able to get it working with the Default App (generic), it doesn’t appear to work with my Single Page App. This is what I get back in the payload - ‘email’ is included in the scope, however it isn’t included in the payload. Please advise.

{‘iss’: ‘https://[host].us.auth0.com/’,
‘sub’: ‘auth0|5fe
’,
‘aud’: [‘[audience]’,
‘https://[host].us.auth0.com/userinfo’], ‘iat’: 1610172450, ‘exp’: 1610258850,
‘azp’: ‘YePX
’,
‘scope’: ‘openid email offline_access’}

The access token won’t include the email attribute regardless of the scope you specify. It will only do so if you set up a custom rule to populate it, which we don’t recommend in this case.

If you want to save an extra request to /userinfo you can issue an ID token by specifying id_token in the response_type (e.g., response_type=token id_token) and retrieve the email attribute from it.

You should always read user profile information such as email address from the ID token or /userinfo as access tokens are intended for authorization and not authentication. This is why the access token doesn’t include such attributes by default.

1 Like

Thanks for the clarification. I guess my original question still stands - what’s the recommended way to obtain /userinfo in the context of using Auth0 with the Django Rest Framework. I did additional searching and apparently the library used in the Quickstart (drf-jwt) is no longer maintained and the author ( isn’t he employed at Auth0? ) recommends moving to django-rest-framework-simplejwt. I also found a post from a year ago saying that Auth0 is working on producing this implementation. Has there been any progress made on that?

2 Likes

I’m also stuck on this exact problem.

It’s not clear how or where to use the /userinfo endpoint. I was planning to extend the RemoteUserBackend to do this, but we don’t have access to the token at that point.

2 Likes

i’am also stuck in this problem, some of you managed to solve it?
it’is nothing clear how to get the email at this point.

we solve the problem using other token of other request, we use:

url_for_token = "https://DOMAIN/oauth/token"
body_for_token = {

    "client_id":"Uy**********7TE",

    "client_secret":"************",

    "audience":DEFAULT AUDIENCE API,

    "grant_type":"client_credentials"

}

response = json.loads(requests.post(url_for_token,data=body_for_token).text)

token_for_user = response["access_token"]

then we use that token to did the request for the email of the user

1 Like

Thanks for sharing that with the rest of community!