Express-openid-connext: Intended way to get user data on login

sr258 · January 5, 2023, 10:53am

Hi,

I use express-openid-connect to have Single Sign On for my application. When a user logs in, I want to update the user entry in my application’s database with the data received from the identity provider. It looks like afterCallback is the best place for this, as it’s only called once after login. However, the id_token is only available in its base64 form and I have to decrypt it manually like this:

const tokenSet = new TokenSet({
      id_token: session.id_token,
    });

    const claims = tokenSet.claims();

Is this the way it’s intended or am I missing something?

eric.culley · January 14, 2023, 12:11am

Hi @sr258,

Welcome to the Auth0 Community.

You are correct that from afterCallback you’ll need to decode the id token to view it’s claims. You can see an example of this using the jose package in our documentation that I’ve linked below.

github.com

auth0/express-openid-connect/blob/master/EXAMPLES.md#8-validate-claims-from-an-id-token-before-logging-a-user-in

# Examples

1. [Basic setup](#1-basic-setup)
2. [Require authentication for specific routes](#2-require-authentication-for-specific-routes)
3. [Route customization](#3-route-customization)
4. [Obtaining access tokens to call external APIs](#4-obtaining-access-tokens-to-call-external-apis)
5. [Obtaining and using refresh tokens](#5-obtaining-and-using-refresh-tokens)
6. [Calling userinfo](#6-calling-userinfo)
7. [Protect a route based on specific claims](#6-protect-a-route-based-on-specific-claims)
8. [Logout from Identity Provider](#7-logout-from-identity-provider)
9. [Validate Claims from an ID token before logging a user in](#8-validate-claims-from-an-id-token-before-logging-a-user-in)
10. [Use a custom session store](#9-use-a-custom-session-store)

## 1. Basic setup

The simplest use case for this middleware. By default all routes are protected. The middleware uses the [Implicit Flow with Form Post](https://auth0.com/docs/flows/concepts/implicit) to acquire an ID Token from the authorization server and an encrypted cookie session to persist it.

```text
# .env
ISSUER_BASE_URL=https://YOUR_DOMAIN

This file has been truncated. show original

eric.culley · February 20, 2023, 3:00pm

This topic was automatically closed after 13 days. New replies are no longer allowed.

Topic		Replies	Views
Do you need to verify the ID token in afterCallback? Help jwt , express	1	3235	February 5, 2022
Refreshing id_token with express-openid-connect Help express , openidconnect	2	4812	November 26, 2021
How to update idTokenClaims for express-openid-connect Help auth0	0	2295	March 14, 2022
Manually set ID Token in express-openid-connect SDK Help express-openid-connect , sdks-quickstarts	2	1516	May 27, 2024
Accessing id_token in expressjs Help sessions , authentication-sessions	3	371	February 9, 2024

Express-openid-connext: Intended way to get user data on login

Related Topics