@sgmeyer Thanks for your answer!
(Sorry for being late responding.)
Checked and you’re right. The “advanced settings” menu showed that the id_token was signed using HS256 and not RS256. Updated and now the “kid” value is present in the header part.
Btw, about the adding email to the body part of the access_token. A colleage of mine noticed that you could use the “rules” feature and add a rule that looks something like the following:
function (user, context, callback) {
const namespace = 'https://somewhere.eu.auth0.com/';
context.accessToken[namespace + 'email'] = user.email;
callback(null, user, context);
}
which would then result in that the key/value pair:
"https://<something>.eu.auth0.com/email": "someone@somewhere.com"
got inserted into the body part of the access_token.
But I am not sure if this is a feasible way of getting the email address added, as while the rule worked as indended when I tested this a few days ago, I seems to be unable to get it to work today. Not sure about what is going on?
br,
kmm