How to authenticate and authorise for data embeded in access token

Hi, so we are using username password authentication on one of our projects and it returns a jwt token (access token) it calls the token api.

So the data on basis of which we are authorising is stored in the user meta data, which is embedded in the token,

So how do we authenticate and authorize apis using this scheme, is token validation enough ? then just extract the user data and authorise based on that, we are not using scopes or claims or rules just the access token.

Hi @dpoojari,

Thanks for joining the Community!

In OAuth flows, an Access Token represents the authorization of an application to access an API. In this case, the application sends the Access Token as a bearer token in the authorization header to notify the API that the user has logged into the app.

With Auth0, when you register your API and use its API identifier as an audience in your application, then a JWT will be issued for the Access Token so that your API can validate it.

Yes, and you can find examples using Auth0 SDKs to do this in the Quickstart guides:

Hi @stephanie.chamblee, thanks for the reply, but one part that is not clear to me is, whether the token itself is enough for authentication and authorization or api call is required to auth0 maybe to fetch user meta data, in the context of username & password flow

The access token has the user meta data as well but is validating the token enough or Its better to fetch the current user meta data from auth0, as user meta data will be used to authorise the apis

For auth purposes, it should be sufficient to validate the token, as outlined in the Quickstart examples.

However, if the information is highly sensitive, then it’d be best to fetch this information instead. You can use the Access Token to retrieve profile information from your tenant’s /userinfo endpoint.

Here is additional documentation on using JWTs: JSON Web Tokens

Before a received JWT is used, it should be properly validated using its signature. Note that a successfully validated token only means that the information contained within the token has not been modified by anyone else. This doesn’t mean that others weren’t able to see the content, which is stored in plain text. Because of this, you should never store sensitive information inside a JWT and should take other steps to ensure that JWTs are not intercepted, such as by sending JWTs only over HTTPS, following best practices, and using only secure and up-to-date libraries.

And here is more information about Access Tokens:

Great thanks this answers my queries

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.