How do I verify the user on the backend?

I have a front end web-app & a backend api. On the backend api, I want to get the current users email.

Currently, on the web-app, I have a Access_Token and a Id_Token The Access_Token is what I need to authenticate for the api, but it does not have the user info that I need (email)

The Id_Token can be decrypted to get the users email

Here is the functionality that I want: If someone hits GET /friends My API will only fetch the friends for the currently authenticated user

What is the best way do this? The options I thought of so far:

  1. Send both the Access_Token and Id_Token to the API, and decrypt the Id_Token for the user data
  2. Send only the Access_Token , then use the Access_Token on the API to request a new Id_Token from auth0
  3. On the web-app, decrypt the Access_Token , add the email to it, then encrypt

Thanks in advance for any help!

1 Like

As the email is a standard OIDC claim, you can request this in your authentication request using the scope parameter.

Here is a sample showing how you can request the standard OIDC claims (including email) in your authentication flow.