Get user data server side

I am getting an accessToken and an idToken from client.login within my SPA. I want to make a request to my API (resource server) to get user data from my database. However, I need the user’s email address or user ID to do so.

This is currently not accessible within an accessToken but it is accessible inside of an idToken. In order for me to follow the ‘correct’ way to do things by sending the accessToken in the header and not the idToken, I need to somehow extract the accessToken from the header on my request in the server and call client.userInfo with that accessToken.

So, I could just send the idToken instead of the accessToken but every page of documentation here says that that is an ‘anti-pattern’ and that the idToken is for the client and the accessToken is for the server. I’m trying to do things the right way.

Another option is, could the accessToken include the email address? I have added scope: 'openid profile email' to my client.login request, but it has done nothing except add scope: 'openid profile email' to the JWT data (kinda useless).

Any ideas?

To reiterate the guidance from the docs, ID tokens should never be used as API tokens. They are simply to authenticate a user to a client, and not for authorizing the user to the resource server (API).

There are two options to obtain additional user information in your resource server:

  1. Calling the /userinfo endpoint with the access_token - This will return user’s profile information.
  2. Explicitly adding the claim to the access_token using Rules. This will persist the claim in that access_token, meaning your resource server can simply query the token for the additional claim. Note, one of the advantages of JWTs is their compact size, hence this method is not recommended for many custom claims.