How to re-issue an accessToken with user context?

support12 · December 15, 2020, 8:15am

Our backend service requires user context (id, email) to be passed with each API call. Before auth0, we had our own account service that generated JWT token which encoded the user context. This JWT was verified by the API end points to extract the user context.

We’re now trying to use Auth0 (login with Github only) where we obtain the access token from Auth0 that is now passed to the API endpoint. The accessToken contains a sub field with a value like “github|1234567890”.

Is there a way to get an accessToken with sub value set to user context ?

Typical application flow is as follows

Application logs in using Github credentials
Auth0 provider providers Github user details.
We lookup our own user database using email address fr the Github user and create a new user if required.
After this point, the user can access our API endpoints.
The API endpoint would rather deal with our notion of the user instead of the Github user.

One solution is that the user context can be sent outside the accessToken (i.e. user context need not be encoded in the accessToken). And yes, the requests are secured by HTTPs. I am wondering if this still a secure practice?

markd · December 15, 2020, 2:40pm

Hello @support12. If you just want to get the email address and other data in the token, you can certainly do that. For email address, you can request the email scope when you call the authorization endpoint. For claims not covered by a standard scope, you can add custom claims to your tokens using Auth0 Rules.

support12 · December 15, 2020, 6:41pm

Hi @markd

Thanks for your response.

We are using Auth0’s React SDK and the application uses getAccessTokenSilently without explicitly requesting the email scope.

   try {
    let accessToken = await getAccessTokenSilently({
      audience: config.auth0.audience,
    });
    ...
  } catch (error) {
    ...
  }

And it returns following accessToken (decoded), where I see the scope field has email claim listed in addition to openid and profile. Is the email scope already requested and should the accessToken have contained the email value?

{
  iss: 'https://tenant.us.auth0.com/',
  sub: 'github|12345678',
  aud: [ 'https://api.example.com/api/' ],
  iat: 1608055049,
  exp: 1608141449,
  azp: 'h0PmOiFYWwoJtpiqvEczEUty2gTEGLvP',
  scope: 'openid profile email' 
}

I tried by adding email scope to getAccessTokenSilently but it returns exactly the same token.

try {
        let accessToken = await getAccessTokenSilently({
          audience: config.auth0.audience,
          scope: "email",
        });
        ...
      } catch (error) {
        ...
      }

Last night I discovered using Rules to add email address to the access token. While this works, I would like to avoid using Rules if I can use the email scope while requesting the access token.

Any thoughts on what I am doing wrong?

Thanks in advance!

markd · December 15, 2020, 6:48pm

The mistake was mine … email is a standard OpenID Connect scope, but you are talking about access tokens, not ID tokens. Specifying email when requesting an ID token will result in the email address being added to the ID token. I don’t think it adds email to the access token, in which case you would need to use a Rule. I’ll test this myself to be certain.

support12 · December 15, 2020, 6:51pm

That is correct. I would like email address to be included in the accessToken.

If you can find a way to include email address in the accessToken by only specifying email scope, please let me know.

thanks!