How can I get an access token of a user with external IdP (SSO) for testing?

Problem statement

I need to get an access token that has custom claims provided by the IdP for testing purposes

Cause

If you want an access token from a user logged in, let’s say with Azure SSO, there are no out-of-the-box features to get a token. As you are trying to impersonate a user to use the API, you will need to authenticate appropriately, and that requires some back-and-forth operations between Auth0 (trusted service) and Azure (the IdP).

Solution

A possible workaround that we use for testing purposes is that you create an application that uses the front channel (a SPA, per example) and follow the login flow pointing the redirect URI to https://jwt.io/ (also remember to include this URL in the callback section of the app in the Dashboard). Then, based on your response type, there are different outputs:

  1. If you receive an access token, it will be displayed on the page (also in the URL params)
  2. If you receive a code, you’ll need to get the token based on your application. Here is an example of a default SPA using an Authorization Code flow with PKCE:
curl --location 'https://{{yourDomain}}/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id={{clientId}}' \
--data-urlencode 'code={{code}}' \
--data-urlencode 'redirect_uri=https://jwt.io' \
--data-urlencode 'code_verifier={{codeVerifier}}'

Otherwise, you need to follow the flow of any application authorized to use that connection. Then you can extract the code by logging the token and copying it manually.