How can we request the 'id_token'. After the authentication done?

Hi there,
I am using php-laravel 6.2 and auth0, I am able to log in and get the ‘access_token’ and ‘id_token’.
But i want to get the ‘id_token’ for any api I have to consume in my php-side.
How can i generate/get the “id_token” after the user is logged in?

Hi @haroon.momin,

I am not too familiar with Laravel, but I will try to help!

Just to clarify, are you wanting the Access Token or ID Token for the user? APIs should only be concerned with the Access Token. If you have multiple APIs which the user should have access to, then you can consider the following approach: Configure Logical API for Multiple APIs

The Laravel quickstart provides the following example for getting the user’s info once logged in:

class CustomUserRepository extends Auth0UserRepository
{
    protected function upsertUser( $profile ) {
        return User::firstOrCreate(['sub' => $profile['sub']], [
            'email' => $profile['email'] ?? '',
            'name' => $profile['name'] ?? '',
        ]);
    }

    public function getUserByDecodedJWT(array $decodedJwt) : Authenticatable
    {
        $user = $this->upsertUser( $decodedJwt );
        return new Auth0JWTUser( $user->getAttributes() );
    }

    public function getUserByUserInfo(array $userinfo) : Authenticatable
    {
        $user = $this->upsertUser( $userinfo['profile'] );
        return new Auth0User( $user->getAttributes(), $userinfo['accessToken'] );
    }
}

Hi @stephanie.chamblee,
Thanks for your response. I have already done that but no luck.
Can i ask you one question, In the “access_token” apart from the ‘sub’ can i use email?
Right now,
{
“iss”: “https://{{domain}}/”,
“sub”: “auth0|auth0 id”,
“aud”: [
http://localhost:9090”,
“https://{{domain}}/userinfo”
],
“iat”: 1618380170,
“exp”: 1618466570,
“azp”: “UvNTilRKJndStaMIcG41IeUjRhoJWL4Z”,
“scope”: “openid profile email”
}
I want,
{
“iss”: “https://{{domain}}/”,
“email”: “user email”,
“aud”: [
http://localhost:9090”,
“https://{{domain}}/userinfo”
],
“iat”: 1618380170,
“exp”: 1618466570,
“azp”: “UvNTilRKJndStaMIcG41IeUjRhoJWL4Z”,
“scope”: “openid profile email”
}

The Access Token won’t contain any user info except the user ID.

You can use the user ID to request user info by using the /userinfo endpoint. You can also add custom claims to the Access Token using rules: Sample Use Cases: Scopes and Claims

Only the ID Token will contain all of the user profile info.

@stephanie.chamblee,
endpoint ‘/userinfo’ is having the rate_limit. Not feasible.
I wish apart from ‘sub’ if we could use the email. Becoz user_id is not my PK.

I see, thanks for clarifying! In that case, you can add the user’s email in the Access Token by creating a rule. Go to Auth pipeline > Rules in your Auth0 dashboard. Click + CREATE RULE and select Empty rule. Paste in this rule, replacing the namespace with your app’s URI (a namespace is required so that the claim does not collide with others):

function(user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.accessToken[namespace + 'email'] = user.email;
  callback(null, user, context);
}

Hi,
app’s URI means the auth0 domain OR the what.
Currently, i am on the localhost. So, how can i use this to accomplish this?
If my App name is ‘MynewApp’ then how the URI will be?

A namespace is required for custom claims so that your claims will not collide with the reserved claims or claims from other resources. If you try to add a custom claim that is not namespace, it will be silently filtered out and won’t be present in the Access Token.

The namespace has to use the format https://some-domain, but if you don’t have a domain for your app yet, this can be anything (e.g. https://MynewApp.com). Once you have a domain for your app, you can use that as the namespace.

Here is more info about creating a namespace for custom claims:

https://auth0.com/docs/tokens/create-namespaced-custom-claims

@stephanie.chamblee, Thank you very much it works.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.