I have a similar question to this (which was not answered AFAIK):
I have a SPA that connects to my API. After the user signs in using Auth0 on the SPA I now have an access token that I send along as an Authentication: Bearer header to my API. On the API end I define users by a unique ID, the unique ID is their email address. With every request to my API the SPA sends the access token and the email address of the user. I can trust that the profile information (including email) is okay on the SPA side of things (because the access token and profile information come from Auth0), but on the API end, I canât assume that the email address sent is the one associated with the access token.
I can get the user profile information (including email) using the access token and the Auth0 API endpoint /userinfo. BUT, that is rate limited, so I canât do that with every request to my API.
On my API I can look at the access token and see that it has information, an example of what I get is:
{âtypâ:âJWTâ,âalgâ:âRS256â,âkidâ:âQUE5NTg3RjA1BLAHBLAHBLAHAwREUwOUY1RERGMjA0REEyRDY2Ngâ}
{âissâ:âhttps://{MY_DOMAIN}.auth0.com/â,âsubâ:âauth0|5d82fba96575590dd1076725â,âaudâ:[âhttps://{MY DOMAINâ,âhttps://{MY DOMAIN}auth0.com/userinfo"],âiatâ:1569382570,âexpâ:1569468970,âazpâ:âyBLAHyAkssblahWbz4Vso9Hcbc7meiWâ,âscopeâ:"openid email profile create:client_grants remove:authenticators read:authenticators enroll member:loggedinâ,âgtyâ:âpasswordâ}
But getting a refresh token requires sending the code returned during the login process. Iâll need to store that in the database for each user and make a request to /userinfo again to get that information (running into the rate limiting problem again).
TLDR: how can I get the user info from an access token without using /userinfo. Perhaps adding the email attribute to the access token with a rule?
The example you liked with custom claims should be able to handle this. Take note of the namespacing rules when implementing this, as it can often cause confusion.
This will eliminate the recurring requests problem you mentioned.
Thank you for the quick response. Your suggestion worked. I had tried this before but without the ânamespacingâ. Here is my rule for anyone who comes after looking for the same solution:
âFor this profile, Auth0 would normally return the following ID Token claims to your application:â
{
âissâ: âhttps://my-domain.auth0.com/â,
âsubâ: âcustom|123â,
âaudâ: âmy_client_idâ,
âexpâ: 1311281970,
âiatâ: 1311280970,
âemailâ: âjane@example.comâ,
âemail_verifiedâ: true
}
But I donât get the âemailâ or âemail_verifiedâ fields.
I see where my confusion is now. I do not have access to the ID token on the API, only the Access Token which is sent in the Authorization header from the SPA.
I do not want to request user information on each request because of the /userinfo endpoint being rate limited.
I have gotten what I need by adding info to the access token via custom claims by using a rule as noted above.
I realise now that I can do without the rule and send the id token along with the access token to the api. The information is in the id token as suggested by the article I linked above.
Sending the email with the request is a solution too. It is going to depend on how you want to handle it. Glad you are thinking about different solutions and thank you for sharing them with the community.