How do I verify the user on the backend?

Russell · January 29, 2019, 10:30am

I have a front end web-app & a backend api. On the backend api, I want to get the current users email.

Currently, on the web-app, I have a Access_Token and a Id_Token The Access_Token is what I need to authenticate for the api, but it does not have the user info that I need (email)

The Id_Token can be decrypted to get the users email

Here is the functionality that I want: If someone hits GET /friends My API will only fetch the friends for the currently authenticated user

What is the best way do this? The options I thought of so far:

Send both the Access_Token and Id_Token to the API, and decrypt the Id_Token for the user data
Send only the Access_Token , then use the Access_Token on the API to request a new Id_Token from auth0
On the web-app, decrypt the Access_Token , add the email to it, then encrypt

Thanks in advance for any help!

prashantT · March 7, 2019, 2:23am

As the email is a standard OIDC claim, you can request this in your authentication request using the scope parameter.

Here is a sample showing how you can request the standard OIDC claims (including email) in your authentication flow.

Topic		Replies	Views
User info from a Acess Token Help	4	2673	February 14, 2020
Using access_tokens and id_tokens together Auth0 Help jwt , auth0 , login	3	3389	September 3, 2019
Validating access token and extract useremail and scope Help extensibility , rules-externsibility	2	1831	November 14, 2022
Confusion around how to use id_token and access_token Help id_token , access-token	7	13058	March 2, 2018
ID token missing email and profile claims Help email , openid , id-token	5	9819	August 9, 2019

How do I verify the user on the backend?

Related topics