Email is not a part of the scope within User.Identity.Claims in API

Hi. I’m following this blog as an excercise securnig Blazor apps: How to Secure Blazor WASM Applications with Auth0

User email is shown fine on the client side using context.User.Identity.
However when I try to get user email on the API side I’m completely lost how can I do that.

Claims in the User.Identity even does not contain “email” in it’s scope:

[0]: {iss: https://***.eu.auth0.com/}
    [1]: {http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: auth0|***}
    [2]: {aud: https://***tutorial.com}
    [3]: {aud: https://***.eu.auth0.com/userinfo}
    [4]: {iat: 1633215972}
    [5]: {exp: 1633302372}
    [6]: {azp: IKM***zhg}
    **[7]: {scope: openid profile}**

Though this article claiming that “email” should be part of standard claims, it still not there: Sample Use Cases: Scopes and Claims, in my case is not there.

Is anyone have an idea what the configuration is missing? I followed all the steps described in the blog.

Hey there!

@andrea.chiarelli would you be able to help on this one?

Hey @Keeper,
I’m not sure about what you are trying to accomplish :thinking:
Why do you need the user profile on the API side? I mean, as far as I know, an API shouldn’t use an ID token. Can you elaborate on what your scenario is, please?

1 Like

Hi Andrea.

At the moment I need to know user email who logged in to create user profile in DB on the application side, for sure I need that email address on an API side.

Kind Regards,
Vadim.

I don’t have many details on your architectural scenario, so I can only make some hypotheses.

I assume you have a client (Blazor WASM client?) and an API (ASP.NET Web API). Your client uses Auth0 to authenticate your users and requests an access token to access your API.
The intended recipient of the ID token issued by Auth0 is your client. As per best practices, you shouldn’t pass it to your API.
If you need the user email on the API side, you can pass it as an argument.

That said, I don’t know why do you want to store the user email on your DB, but if you want to use it as a key to identify the user, I’m afraid it is not a good idea. The user email can change and you risk misaligning your data. For this purpose, you should use the sub value from the ID token as your user identifier.

Finally, just for completeness, to get the user email you need to request it explicitly when your users authenticate. In other words, you need to add the email scope in your OpenID Connect configuration. In the data you shown above, I see only openid and profile scopes.

1 Like

Hi Andrea.

Many thanks for your reply. That’s all make a sense.
Yep, you are right, that’s WASM + API pattern,
We are reviewed and changed some of our patterns.

Thanks again for for your support!!

Kind Regards,
Vadims.

1 Like

Auth0 team is here for you Keeper!