scope: openid profile when authenticating in my client gives a “using profile in scope is not recommended”](https://auth0.com/docs/libraries/lock/v10/sending-authentication-parameters#supported-parameters) warning. If I use
scope: openid auth result only contains the
sub claim, missing the
email fields. How do I get complete user profile without using profile in scope?
Do I have to auth once with
scope: openid profile to get the user profile and the again with
scope: openid to get an access token to pass to the my server API?
The warning in question is only meaningful if your client is performing authentication in a non-OIDC compliant way. In this mode (aka legacy) requesting the profile would return the full profile information about the user which under certain situations and depending on the size of the profiles of your users could lead to issues; hence the warning.
For OpenID Connect compliant authentication including the
profile in the scope only means that the OIDC claims associated with the profile (see OIDC Scope Claims) will be returned in the ID token; it’s not the complete user profile neither does it include user metadata which sometimes contains significant amount of data.
In conclusion, that is is just a warning that if you’re already using OIDC compliance you can mostly ignore because it does not apply or if you’re still using legacy authentication then you need to review it based on the characteristics of your users profiles. In general, if you’re not storing a significant amount of data in user metadata nor using a external IdP that returns a lot of profile information then you can also ignore that warning even when using legacy authentication.
Thanks for your reply. That is a relief! I am using the
audience parameter which means that I am using the OIDC compliant authentication.