Get public profile url at /userInfo

I initialise auth0 like this

angularAuth0Provider.init({
    clientID: __env.auth0.clientId,
    domain: __env.auth0.domain,
    responseType: 'token id_token',
    audience: 'https://' + __env.auth0.domain + '/userinfo',
    redirectUri: __env.auth0.redirectUrl,
    scope: 'openid email profile user_metadata app_metadata'
})

I send the user to the hosted login page by calling .authorize(...)

angularAuth0.authorize({
    allowed_connections: ['linkedin', 'facebook', 'google-oauth2', 'windowslive', 'email'],
});

The lock at the hosted login page is initialized like this

var allowed_connections = config.extraParams.allowed_connections;
var lock = new Auth0LockPasswordless(config.clientID, config.auth0Domain, {
  auth: {
    redirectUrl: config.callbackURL,
    responseType: (config.internalOptions || {}).response_type ||
      (config.callbackOnLocationHash ? 'token' : 'code'),
    params: config.internalOptions
  },
  assetsUrl:  config.assetsUrl,
  allowedConnections: allowed_connections ? allowed_connections : null,
  closable: false,
  socialButtonStyle: 'small'
});

When user has returned to the callback page, I parse the hash and call .userInfo()

angularAuth0.parseHash(function(err, authResult) {
    if (authResult && authResult.accessToken) {
        angularAuth0.client.userInfo(authResult.accessToken, function (error, user) {
            console.log(user);
        });

    } else if (err) {
        console.log(err);
    }
});

where user looks like this

{
  "sub": "linkedin|...",
  "given_name": "...",
  "family_name": "...",
  "nickname": "...",
  "name": "...",
  "picture": "https://media.licdn.com/dms/image/...",
  "updated_at": "2018-05-08T11:36:53.273Z",
  "email": "...",
  "email_verified": true
}

When looking at the Raw JSON at the online user management I can see a lot more info, e.g. publicProfileUrl.
How do I get that info?

1 Like

@harald.andertun whenever you specify an audience with auth0 or mark a client as OIDC conformant Auth0 only supports certain scopes for returning data in the id_token or at the /userinfo endpoint. Specifically we only support these scopes:

There is a workaround for this. Inside a rule you can add additional claims to the id_token, but there is no way to augment what is returned at the /userinfo endpoint beyond the scopes listed in the specification. Here is what you can do to augment the id_token to fetch app_metadata and user_metadata:

context.idToken['https://example.com/claims/app_metadata'] = user.app_metadata;
context.idToken['https://example.com/claims/user_metadata'] = user.user_metadata;

The id_token is an optimization in that it will contain at least the same information as returned by /userinfo and auth0 provides a way to augment the token with additional claims. The key here is the claims will need to be namespaced with a URL, otherwise Auth0 will remove those when using an OIDC Conformant application.

Since you react app is already requesting metadata scopes and the id_token you don’t need to do much more. However, in the rule you can wrap the above code in an if statement that only adds that data if requested by the client (via scopes) and authorized by Auth0.