I have single page JS app and a Java (Spring Security) API. I have secured my API end point and can authenitcate with a token. In the backend API I want to access some user info, specifically some meta data so I can work out what the authenitcated user's tenancy is. How do I get the authenitcated user's profile in JSON or as an object? Can it be derived from the token or do I need to make another call back to the issuer?
1 Like
By default the access token issued for use against your own API (currently a JWT) will contain the user identifier as the sub claim; this allows to uniquely identify the user in question.
If you need further information you can either include it as a custom claim when the access token is issued or obtain it through other means by leveraging the unique user identifier you received.
In order to include custom claims, which might be your best option if the information you require is not much, then check the reference docs on how to include custom claims. Note that the docs mostly show how it’s done for the ID token, but then there’s a note explaining that for the access token issued to API’s is mostly the same:
If you need to add custom claims to the access token, the same applies but using
context.accessTokeninstead.
As an alternative when you require complete information about the user, but with the downside of an extra call, you can use client credentials grant from your own API to perform Management API calls that would give you complete access to the user data available in Auth0.
Many thanks for your help.
I’ve added the custom data to my user’s app_metadata which will identify their tenancy within my own system.
"app_metadata": {
"organisation": "company1"
}
I’ve then created a rule on my database connection as follows -
function (user, context, callback) {
if (context.clientID === 'MYCLIENTID') {
context.accessToken'organisation'] = user.app_metadata.organisation;
}
callback(null, user, context);
}
I am authenticating the user via /oauth/token which successfully returns a JWT token. I am accessing that via the authenticated principle and can debug to see the contents of the decoded token. However, I cannot see the ‘organisation’ element which should have been added. I have reauthenitcated several times and retried the new token, I’ve also tried using Postman and decoding the token via jwt.io. The user authenticated correctly and I can see the sub value showing their auth0 id. I have also checked the rule condition, the client ID is correct and I can also see that in the decoded token.
I have tested the rule with some dummy data and looks correct, I see the access_token with the organisation value as expected. it looks to me like the rule isn’t getting executed when I authenticate from my client application. Can you advise please?
Thanks.
John
Need to add it as a HTTP URL - as described in the doc
“Any non-Auth0 HTTP or HTTPS URL can be used as a namespace identifier, and any number of namespaces can be used. The namespace URL does not have to point to an actual resource, it’s only used as an identifier and will not be called by Auth0.”