Express-openid-connext: Intended way to get user data on login

sr258 · January 5, 2023, 10:53am

Hi,

I use express-openid-connect to have Single Sign On for my application. When a user logs in, I want to update the user entry in my application’s database with the data received from the identity provider. It looks like afterCallback is the best place for this, as it’s only called once after login. However, the id_token is only available in its base64 form and I have to decrypt it manually like this:

const tokenSet = new TokenSet({
      id_token: session.id_token,
    });

    const claims = tokenSet.claims();

Is this the way it’s intended or am I missing something?

eric.culley · January 14, 2023, 12:11am

Hi @sr258,

Welcome to the Auth0 Community.

You are correct that from afterCallback you’ll need to decode the id token to view it’s claims. You can see an example of this using the jose package in our documentation that I’ve linked below.

github.com

auth0/express-openid-connect/blob/master/EXAMPLES.md#8-validate-claims-from-an-id-token-before-logging-a-user-in

# Examples

1. [Basic setup](#1-basic-setup)
2. [Require authentication for specific routes](#2-require-authentication-for-specific-routes)
3. [Route customization](#3-route-customization)
4. [Obtaining access tokens to call external APIs](#4-obtaining-access-tokens-to-call-external-apis)
5. [Obtaining and using refresh tokens](#5-obtaining-and-using-refresh-tokens)
6. [Calling userinfo](#6-calling-userinfo)
7. [Protect a route based on specific claims](#6-protect-a-route-based-on-specific-claims)
8. [Logout from Identity Provider](#7-logout-from-identity-provider)
9. [Validate Claims from an ID token before logging a user in](#8-validate-claims-from-an-id-token-before-logging-a-user-in)
10. [Use a custom session store](#9-use-a-custom-session-store)

## 1. Basic setup

The simplest use case for this middleware. By default all routes are protected. The middleware uses the [Implicit Flow with Form Post](https://auth0.com/docs/flows/concepts/implicit) to acquire an ID Token from the authorization server and an encrypted cookie session to persist it.

```text
# .env
ISSUER_BASE_URL=https://YOUR_DOMAIN

This file has been truncated. show original

eric.culley · February 20, 2023, 3:00pm

This topic was automatically closed after 13 days. New replies are no longer allowed.