I’m evaluating the feature of using non interactive client for future integrations.
In my understanding the protected server (APIs in my case) will only let pass the HTTP requests that have a JWT bearer token in Authorization header (I’m pretty new to Auth0 and authorization and authentication in general so I apologize in advance if I won’t use right terminology)
I’ve used Spring security example found here.
It works for me (I mean only the valid JWT token passes the Spring Security and I’m able to access the HTTP controller on server)
But now I would like to set some additional information on non-interactive client in a key value form and access it on server. So I did it for my client in section “Advanced settings” → “Application Metadata”.
As the aforementioned tutorial suggests, I’ve asked for the token to be sent with
“Authorization Bearer” as follows:
curl --request POST --url https://MY_COMPANY_NAME.auth0.com/oauth/token
-- header 'content-type: application/json' --data '{"client_id":
"CLIENT_ID","client_secret": "CLIENT_SECRET",
"audience":"https://MY_COMPANY_NAME.auth0.com/",
"grant_type":"client_credentials"}'
As a result I’m getting a JWT token that looks like this:
{
"access_token":"TOKEN",
"expires_in":86400,
"scope":"openid create:textAnalysis",
"token_type":"Bearer"
}
Its header is:
{
"typ": "JWT",
"alg": "RS256",
"kid": "SOME_VALUE"
}
Its payload looks like this:
{
"iss": "https://MY_COMPANY.auth0.com/",
"sub": "SUBJECT@clients",
"aud": "https://MY_COMPANY_NAME.auth0.com/",
"exp": 1498193789,
"iat": 1498107389,
"scope": "openid create:textAnalysis"
}
But when I check it in JWT.IO I don’t see any information about custom metadata I’ve sent.
I’ve tried another way - to query Auth0 on server: to call GET request /userinfo with this JWT token but i also doesn’t work (I’m getting an unauthorized 401 response).
So my question what should I do to get this metadata?
Is it possible to do that in both ways I’ve described or maybe there is any other way to get this working?