Forwarding identity_token to resource server.

emanuel.williams · February 3, 2018, 2:31am

Its pretty clear that access_tokens are for API’s to verify authorization to specific endpoints on a resource and that identity_tokens are for clients only.

In our case we have an API (resource) and a front end client app. The client app authenticates with auth0 and is sent an access_token and identity_token (using the password-realm grant). The front end client will send the access_token when making calls to the API. However our API also needs to know who the user is that initiated the the request for auditing purposes.

We could call the /userinfo endpoint from the API to retrieve this, but that would have to happen for every single request. Would it be considered a bad practice in this case to forward the identity_token to the api?

According to googles oidc standards it is acceptable: OpenID Connect | Authentication | Google Developers (see the “validating an id token” section)

Thanks!

James.Morrison · December 17, 2018, 3:10pm

As it has been more than a few months since this topic was opened, and there has been no reply or further information provided as to the existence of the issue, we are closing this topic. Please don’t hesitate to create a new topic if this issue is still present, we would be happy to work with you to help find a resolution.

Topic		Replies	Views
How to access identity info in API Help token , id_token , access-token , identity	8	6633	April 6, 2019
Clarification on token usage Help token , access-token , bearer-token , id-token	5	11751	March 2, 2018
Should I send the id token from my SPA to my rest backend? Help authentication , rest , openidconnect , id-token , rest-api	2	5128	December 14, 2018
User registration and authentication management Help manage , users , authentication	2	5333	March 2, 2018
Using access_tokens and id_tokens together Auth0 Help jwt , auth0 , login	3	3389	September 3, 2019

Forwarding identity_token to resource server.

Related Topics