I’ve been playing around with using Auth0 as a service provider and wanted to confirm the flow that I setup is correct to create an authenticated session in a webapp. I initiate authentication from the IDP. This IDP is setup in my enterprise connections and setup to use a client with a Client Type Regular Web Application. The client has a callback URL setup that is an endpoint in my webapp.
The callback receives a code and on the server side uses it to make an API call to https://{tenant}.auth0.com/oauth/token to get an access token and id token. For the id_token to return in the callback in my connections setup I had to set the Query String in the idP-Initiated SSO to “scope=openid”. It then verifies the JWT signature, decodes it to get the user information, and creates a session in the webapp for that user. It then redirects them to an authenticated home page.
I based the flow off of the instructions here: Add Login Using the Authorization Code Flow but instead of calling the userinfo API to get the user details, I use the id token to reduce another API call. Is the userinfo endpoint the preferred way of getting user profile details? One thing to note is that there is potential for adding some attributes to the SAMLResponse that are not part of the default user profile.
Thanks in advance