How do I handle the legacy access_token?

Pickles · September 13, 2018, 11:01pm

I’m trying to build a Google Action that account links using Auth0. Login works fine but after login Google is not sending my services the JWT token, it’s sending the shorter access_token and as far as I can tell there’s no way to change that. I see a lot of documentation on Auth0 about how to use the JWT but nothing on what to do with that older access_token. Thanks.

Pickles · September 17, 2018, 10:55pm

Ok was finally able to figure this out: In the Advance Settings of my app there’s a /userinfo endpoint. I just need to sent that the access_token and I get back the user information.

mfl · September 25, 2018, 1:36pm

So there is no way to include scopes in the access_token using the implicit OpenId Connect flow?

To me it seams like a unnecessary http request to have to request /userinfo for the users scopes, every time a request is made.

Pickles · September 25, 2018, 2:10pm

Yeah I agree, this is the problem the JWT is trying to solve…but Google Actions doesn’t support JWT so here we are. One thing I was considering is storing the key and the information returned from it in my application in some sort of session object. But as of now it’s doing that request every single time.

mfl · October 4, 2018, 5:12pm

Try adding audience to the WebAuth parameters. Worked for me

Pickles · October 8, 2018, 12:47pm

Could you be more specific? Where do I add this parameter? And to confirm this will solve the problem of having to do the extra API call whenever my webhook service is called?

mfl · October 8, 2018, 1:03pm

auth0 = new auth0.WebAuth({
domain: ‘DOMAIN’,
clientID: ‘CLIENTID’,
redirectUri: ‘REDIRECTURL’,
responseType: ‘token id_token’,
scope: ‘openid SCOPES’,
audience: ‘Unique API ID’
});

https://auth0.com/docs/tokens/access-token#access-token-format
" * If the audience is set to the unique identifier of a custom API, then the Access Token will be a JSON Web Token (JWT)."

Pickles · October 8, 2018, 1:12pm

Unless I’m misunderstanding here, I’m at the mercy of what Google Actions decides to send me. Currently it’s only sending me the old access token so I have to do the extra call to get user data. AFAIK I can’t configure my Google Actions app to include any additional params.

system · November 7, 2018, 1:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.