How do I verify the user on the backend?

Russell · January 29, 2019, 10:30am

I have a front end web-app & a backend api. On the backend api, I want to get the current users email.

Currently, on the web-app, I have a Access_Token and a Id_Token The Access_Token is what I need to authenticate for the api, but it does not have the user info that I need (email)

The Id_Token can be decrypted to get the users email

Here is the functionality that I want: If someone hits GET /friends My API will only fetch the friends for the currently authenticated user

What is the best way do this? The options I thought of so far:

Send both the Access_Token and Id_Token to the API, and decrypt the Id_Token for the user data
Send only the Access_Token , then use the Access_Token on the API to request a new Id_Token from auth0
On the web-app, decrypt the Access_Token , add the email to it, then encrypt

Thanks in advance for any help!

prashantT · March 7, 2019, 2:23am

As the email is a standard OIDC claim, you can request this in your authentication request using the scope parameter.

Here is a sample showing how you can request the standard OIDC claims (including email) in your authentication flow.

Topic		Replies	Views
Mix of front-end auth and back-end usage of user profile information Get Help	3	3318	July 26, 2019
Best practice to find a user in my API database from a verified JWT access token Get Help jwt , auth0 , api	3	3932	July 8, 2021
Get user data server side Get Help userinfo , login	2	6823	March 2, 2018
How to get user Info like email after successful login Get Help jwt , auth0 , management-api	2	6716	September 2, 2019
Rudimentary question about access_token and communicating with API Get Help	2	3270	August 26, 2019

How do I verify the user on the backend?

Related topics