How to access user email address?

I’m using the python auth0 sdk for user management in a webapp. Everything has been going fine, login/logout/session details all work perfectly. I’m nearing release of the first alpha and the last thing I need to do is store users emails in dynamodb for notification. The problem is…email address isn’t in the session info! This is the session I’m getting from Auth0 using a “print session”

{u'family_name': u'Burgundy', u'name': u'Ron Burgundy', u'picture': u'https://scontent.xx.fbcdn.net/v/t1.0-1/c15.0.50.50/p50x50/10354686_1012121212121212_220367501106153455_n.jpg?
oh=b7a22416832612429f32d3e7cd356fd5&oe=5A262F2F', u'locale': u'en-US', u'gender': u'male', u'updated_at': u'2017-08-09T06:50:53.333Z', u'given_name': u'Ron', u'nickname': u'panther', u'sub': u'facebook|1212121212121212'}

How do I get access to the users email address? I can look it up in the auth0 console so it’s certainly being provided by google/facebook etc. Am I missing something, is it available in the session info but I’m looking in the wrong place? Do I have to look it up from Auth0 from within my app? If so, how?

1 Like

Technically, I never used the Python SDK, but based on the information you provided I have a good guess about the possible reason for the behavior you’re experiencing. When your client application performs authentication through Auth0, in particular, according to the OpenID Connect (OIDC) specification it can specify which user information should be made available upon completion of the authentication.

At this time, you’re obtaining the following properties family_name, name, picture, locale, gender, updated_at, given_name, nickname and sub. The sub claim will be returned by default in every OIDC authentication and the other properties are returned when the client application includes the profile scope as part of the initial request. See this section of the specification to know which claims/properties map to known OIDC scopes.

This suggests that your application is including scope=openid profile somewhere in the configuration of the authentication request. Given you also want to have email address information available to you you should ensure that the scope requested is instead scope=openid email profile. As you can see from the link above, including the email scope will mean additional information will be returned (email and email_verified claims when available). The returned information should then also be surfaced by the Python SDK in a similar fashion to how the current information is already being returned.

You, jmangelo, are a GENIUS!

Thanks very much, I would never have found that!! For anyone else that ever stumbles across this here is the change necessary.

No email:

       auth.authorize({
         audience: 'https://'+AUTH0_DOMAIN+'/userinfo', // you can also set this on the .env file and put API_AUDIENCE instead
         scope: 'openid profile',
         responseType: 'code',
         redirectUri: AUTH0_CALLBACK_URL
       });

With email:

       auth.authorize({
         audience: 'https://'+AUTH0_DOMAIN+'/userinfo', // you can also set this on the .env file and put API_AUDIENCE instead
         scope: 'openid email profile',
         responseType: 'code',
         redirectUri: AUTH0_CALLBACK_URL
       });

Thanks again jmangelo, you saved me countless hours and heartache :slight_smile:

3 Likes