Using scope: openid profile
when authenticating in my client gives a “using profile in scope is not recommended”](https://auth0.com/docs/libraries/lock/v10/sending-authentication-parameters#supported-parameters) warning. If I use scope: openid
auth result only contains the sub
claim, missing the name
, nickname
and email
fields. How do I get complete user profile without using profile in scope?
Do I have to auth once with scope: openid profile
to get the user profile and the again with scope: openid
to get an access token to pass to the my server API?
1 Like
The warning in question is only meaningful if your client is performing authentication in a non-OIDC compliant way. In this mode (aka legacy) requesting the profile would return the full profile information about the user which under certain situations and depending on the size of the profiles of your users could lead to issues; hence the warning.
For OpenID Connect compliant authentication including the profile
in the scope only means that the OIDC claims associated with the profile (see OIDC Scope Claims) will be returned in the ID token; it’s not the complete user profile neither does it include user metadata which sometimes contains significant amount of data.
In conclusion, that is is just a warning that if you’re already using OIDC compliance you can mostly ignore because it does not apply or if you’re still using legacy authentication then you need to review it based on the characteristics of your users profiles. In general, if you’re not storing a significant amount of data in user metadata nor using a external IdP that returns a lot of profile information then you can also ignore that warning even when using legacy authentication.
Thanks for your reply. That is a relief! I am using the audience
parameter which means that I am using the OIDC compliant authentication.