How to link JWT to my users info database

I have created a web app and use Auth0 for authentication. Each user has his own page with personal data.

How can I connect an user logged via Auth0 to my Mysql database in order to retrieve and update his specific data?

Hi @rutiglianomassimilia,

You can use the sub claim from the token (this is the user ID). Or you can store a seperate database ID in the user’s app_metadata and add it to the token.

2 Likes

So I have to save the sub claim also in my MySQL table along with the other info?

That is correct. You can use this as their unique user ID

Sorry but I started studying coding 2 months ago. I am creating a web app and I only use JS, my knowledge is not even enough.

I was reading this , honestly I’m confused about the various steps to perform, could you explain them to me in order? At least I understand what to read and study.

Sure. When you get the token back from auth0, you can go into your database and look for a user ID matching the sub claim (the user id from auth0). If you don’t find one/the user does not yet exist, then you can create a user with that as the user id.

Does that make sense?

Of course, on a theoretical level I understand how it works, but I don’t know how to do it.

So, the user log-in with Auth0 and goes to “Profile setting” page.

Fill out the form with his personal data, click save and the data is sent to my MySQL database. Before this last point how can I also send user_ID to my table so that I can link that info to the single user?

You can get the sub claim from the token and add it to your database update/create request.

After login I only get this:

{
access_token: "..."
expires_in: 86400
id_token: "..."
scope: "openid profile email"
token_type: "Bearer"
}

How can i get the sub claim user_id?

With:

const { user } = Auth0();

return(
…

{user.sub}

I can get the sub claim but I noticed that it changes depending on the access method, so it is not unique.
If a user registers via e-mail he gets a sub, if he logs in via G-mail he gets another one.

A user logging in via email/password and a user logging in via google social are considered seperate users, so they will have different IDs.

Those are seperate identity providers.

The sub claim is in the access token and ID token. Which Auth0 SDK are you using?

I use React SDK, if there is no solution to the problem I will have to use the email as an identifier.

You can use user.sub to get the claim.

The issue with using the email is that the real user could log in with gmail, and a malicious user could log in with the same email, unverified, and have access to the user’s data from your DB.

Do you see what I mean?

Yes, so if I use the sub claim, will I have to add all the authentication methods to each user of my table?
But how can I link the various accounts securely?
Let me explain, in my web-app you can register via auth0 sign-up, google and facebook. How can I understand that a user registered through google is the same one who logs in through facebook?

@rutiglianomassimilia,

We have an account linking feature for this:

The important thing here is that the emails are verified.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.