I can get the email in the SPA, but I need a way to securely communicate that to the API. The sub claim seems to just have the auth0 ID for the user, but I need the actual email itself. I thought that adding ‘email’ to the scope would be sufficient.
Is anyone able to advise me on how to do this? Thank you!
including OIDC standard claims as part of the scope parameter will only lead to the automatic inclusion of that information in the ID Token ; because that’s what the specification points to
Alternatively, your API could call the /userinfo endpoint to get the user profile. Since the access token includes the scope openid email you will get the user’s email in the response: https://auth0.com/docs/api/authentication#get-user-info
I’d rather not call /userinfo, because then my API response depends on a nested API response, increasing latency and introducing a new source of errors. What I like about verifying the JWT is that I can do it without any external calls.
It is very confusing that the access token is a subset of the id token; since in your bog-standard SPA+API crud app most of the important stuff is happening behind the API, so that’s where the user info is needed.
It seems like the correct thing is indeed what I’m doing, which is a namespaced claim implemented using a rule. It’s good that I have confirmation of this, and can proceed along this path. Thanks again for responding!