How do I securely pass identity from the frontend to the backend?

I’m interested in setting up a serverless C# backend, with a static website Angular frontend (using the auth0-angular package). This has a very normal flow:

  1. Hide most of the Angular app behind the auth0 route guard, until they have signed in with the Universal Login
  2. Append an access token to any API calls the Angular frontend make
  3. The C# backend verifies the token before taking any action

One hitch was setting up the backend, since there is no Azure Functions C# quickstart. Thankfully, someone has an example on GitHub that works.

The final problem I’m running into, is that many of our API calls depend on knowing the identity of the user. Ideally, we want their nickname, and their ID in our database. We’ll need this information for many queries in all of our applications.

According to the docs, “Do not use ID tokens to gain access to an API,” and “Access tokens must never be used for authentication.”

So we run into an issue for basically any application… say it’s a photo gallery. We’ll need to only fetch photos the logged-in user owns, and only allow them to edit or delete photos they own. But auth0-angular only passes an access token to the backend, saying that the user is allowed to access the fetch photos endpoint. We don’t know the ID of the user. And I can’t just pass the user ID as a header or URL parameter - because then, any malicious person could get an access token to the endpoint, open up Postman, change the URL parameter from ‘John.Doe’ to ‘Jane.Doe’ or from ID ‘1’ to ID ‘2’, and pretend to be someone else.

So, what am I missing here? It seems we can use the /userinfo endpoint up to 5x a minute per user, which might work if we can cache the result - although, I don’t think this would be trivial on a serverless platform like Azure Functions. Can we make a scope for every ID in the database? Do we ignore your advice, and make some auth0 rule to append identity information to the access token? Should I add Angular code to also append the ID token to every API call, then verify both tokens on the backend?

What’s the best approach for this?

Hi @matthew.neidig,

Welcome to the Community!

If you simply need a unique user identifier in the token, then you can use the sub claim in the access token. This is the user_id, which is unique to that user’s profile.

In addition, you can append information to the token using custom claims and a rule.

Hope this helps,
Dan