Our backend service requires user context (id, email) to be passed with each API call. Before auth0, we had our own account service that generated JWT token which encoded the user context. This JWT was verified by the API end points to extract the user context.
We’re now trying to use Auth0 (login with Github only) where we obtain the access token from Auth0 that is now passed to the API endpoint. The accessToken contains a sub field with a value like “github|1234567890”.
Is there a way to get an accessToken with sub value set to user context ?
Typical application flow is as follows
Application logs in using Github credentials
Auth0 provider providers Github user details.
We lookup our own user database using email address fr the Github user and create a new user if required.
After this point, the user can access our API endpoints.
The API endpoint would rather deal with our notion of the user instead of the Github user.
One solution is that the user context can be sent outside the accessToken (i.e. user context need not be encoded in the accessToken). And yes, the requests are secured by HTTPs. I am wondering if this still a secure practice?
Hello @support12. If you just want to get the email address and other data in the token, you can certainly do that. For email address, you can request the email scope when you call the authorization endpoint. For claims not covered by a standard scope, you can add custom claims to your tokens using Auth0 Rules.
And it returns following accessToken (decoded), where I see the scope field has email claim listed in addition to openid and profile. Is the email scope already requested and should the accessToken have contained the email value?
Last night I discovered using Rules to add email address to the access token. While this works, I would like to avoid using Rules if I can use the email scope while requesting the access token.
The mistake was mine … email is a standard OpenID Connect scope, but you are talking about access tokens, not ID tokens. Specifying email when requesting an ID token will result in the email address being added to the ID token. I don’t think it adds email to the access token, in which case you would need to use a Rule. I’ll test this myself to be certain.