Getting scope/permissions into my ID Token (explain it to me like I'm five)

Hi all -

I’m getting a bit frustrated. I have a react app that communicates with a GraphQL API (apollo running on express). My react app gets the user’s ID Token by logging in with the universal login. I then pass that token as an Authorization header to the apollo client that communicates to the GraphQL server. This all works fine… On the apollo server, I can receive that JWT ID Token and verify it using the checkJwt function I pulled from the example in my account.

Now… I’ve read the articles, the how-tos, etc. I can’t seem to grasp how to get the ID token that gets generated when a user logs in to include their permission.

So… please… someone explain it to me like I’m five.

Thanks.
-Tom

1 Like

Hi Tom,

You can add permissions to the ID token using rule as I showed here (Auth0 - Enrich ID tokens with custom data). However, that’s not ideal. Permissions should go in Access Tokens, not ID Tokens. Auth0 will inject permissions and scopes in Access Tokens for you, but not in ID Tokens as far as I know.

Thanks
Pablo.

3 Likes

As Pablo said. Don’t use ID token to communicate session state. Most ID tokens probably contain PII (personally identifiable information) and that is something which only the requestor of the access token should have access to, because in the consent screen the User agreed to share their info with you the requestor and you only, and not some other app that you share under the hood.

Use Access Tokens for that and also you can enable RBAC for APIs and you’ll get permissions added automatically to the access token if they were assigned to the user as part of a role or as a direct permission.

Thanks for sharing all that with the rest of community and helping in this thread!