I have just successfully implemented the PKCE flow from my Cordova Ionic5 mobile app which then uses the auth_token to authorize against my .NET Core 3.1 Api.
The problem is that I cannot access the user information:
name, email, etc.
I really need to know “who” the user is which just authenticated. Can you please help?
Here is my Stack Overflow post for this same issue:
Can you share a sample token? For a JWT token if you redact the signature component it renders the token unusable and you can use jwt.io to see if any of the information it contains is something you would deem sensitive or not before sharing.
The most likely explanation is that you’re sending a JWT access token obtained by performing an authentication/authorization flow using an audience parameter associated with your API. If that assumption is correct the issued access token will contain a sub claim containing the user identifier, but by default it will not contain additional information about the user like email or name.
It’s important to make a note that another type of token (the ID token) may by default include such information and ID tokens are always a JWT so it’s important to not confuse both.
If you strictly need additional information in the access token you can consider adding it as custom claims (Sample Use Cases: Scopes and Claims) and then have your API as part of token validation extract those claims so that they are available to the application once validation of the token is completed.
Thanks for your response but I don’t think you are following me…
If you look at my Stackoverflow post, you will see that I have successfully authenticated w/Auth0 tenant and get back my access_token, id_token, scope and token_type (see below)
I am able to take the id_token and go to jwt.io and see pertinent information. (see below)
what I am simply asking is:
How can I obtain this same information, i.e., the email address, user name, etc from my .NET Core application using the auth_token?
I think there may indeed be some misunderstanding (both ways); the token you shared is an ID token. In general, the token you will be sending to perform calls against an API will be an access token. The contents of the access token will be significantly different to the contents of an ID token by default.
However, as I mentioned before you can include custom claims in the access token that pertain to user information.
Having said that, the first step here is to confirm which token is being sent to the API. Is it the ID token or access token?
