I am using the auth0-spa-js SDK for our SPA, which also makes calls to our API.
The Auth0 QuickStart documentation recommends using the
jwks-rsa libraries to parse the token on the backend.
However, that middleware only populates an object with the standard JWT fields and does not include the user’s profile information. Since authorization is handled via application logic, I need to at least know the user’s email.
To get that email, I am using Auth0’s
/userinfo endpoint. That endpoint returns essentially the same info provided by the
express-jwt and includes the user’s email address.
Do I need to use the express-jwt and jwks-rsa middleware if I’m just going to send the token to the userinfo endpoint? Are there any security implications of not those libraries? What is the value of those libraries if its just as easy to send the token to the