How can I automate the recovery of a user id token for automated tests?


I am working on a project on which I authenticate my users on a front-end (authorization code with PKCE) . Then, I am sending to my back-end the id token in order to check the authentication and return some informations (if the authentication is successful).

In order to do automated tests (integrated on my CI), I would like to know if there is an method to fetch an id token from a test user.

I tried a first approach by :

  • creating a auth0 tenant specific for test purposes
  • creating one user
  • fetch token with the endpoint oauth/token with the password authorization flow.
    Nevertheless the endpoint doesn’t look to be able to return an id token, only access token. (according to the API documentation)

Can you recommend a way to fetch automatically an id token and then test my API routes ?

I thank you a lot in advance,

Hi @theod,

Welcome to the Community!

Did you try passing an openid scope with your request?

Hello @dan.woda ,
Thanks a lot for the quick reply. Actually I tried to pass an openid scope in my request but only a access_token is returned.

Here is the model of my request :

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=password&username=USERNAME&password=PASSWORD&audience=API_IDENTIFIER&scope=openid&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"

and the response looks like :

   "access_token": "...",
   "scope":"openid profile email address phone read:current_user update:current_user_metadata delete:current_user_metadata create:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials update:current_user_identities","expires_in":2592000,"token_type":"Bearer"

This is in fact the behavior described in the section concerning this endpoint in the API documentation.

Is there something i am not doing correctly ?

I just tested it and get can an ID token.

Here is my request export from postman, also tested in my terminal:

curl --location --request POST '' \
     --header 'Content-Type: application/x-www-form-urlencoded' \
     --data-urlencode 'grant_type=password' \
     --data-urlencode 'client_id=xxx' \
     --data-urlencode 'client_secret=xxx' \
     --data-urlencode 'username=xxx' \
     --data-urlencode 'password=xxx' \
     --data-urlencode 'scope=openid'
1 Like

You are right my mistake was to add an audience parameter.

Thank you so much for your support!

1 Like

Let us know if you have other questions.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.