@kimcodes, let me list out the steps…
- Request for authentication using the scope “openid profile”, invoking the authorization code grant (PKCE) API. Namely, the request is Sign In with Auth0
- I get the authorization code in return, which I exchange for an access token and id token making a request to the token exchange endpoint with the body:
{
grantType: authorization_code
clientId: D2XTLMKl50letQEGgfo0LQccizZAUCjo
code: 9PMfBaJWpfx85-gb
codeVerifier: wNJy2CcukoNu_oFThm4H5RU2d1WDNEm8VAACOeRWOS8
redirectUri: http://localhost:8086/ui
} - But the response to the above only contains the access token, namely:
{
accessToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1EaEJRVGRET1RZNU1FWXhOREJCTlRnNU1UUkZRa05ETUVRME1qSXpRelEyTURBNFJFVTVOZyJ9.eyJpc3MiOiJodHRwczovL2lkdmVyaWZhY3QuYXV0aDAuY29tLyIsInN1YiI6Imdvb2dsZS1vYXV0aDJ8MTA1OTg4NjkyMTQ4Mzc1ODAyOTc3IiwiYXVkIjoiaHR0cHM6Ly9tZWRpYXRpb24uc2VjdXJla2V5LmNvbSIsImlhdCI6MTUyMzg5NjE3MSwiZXhwIjoxNTIzOTgyNTcxLCJhenAiOiJEMlhUTE1LbDUwbGV0UUVHZ2ZvMExRY2NpelpBVUNqbyJ9.Md-kgF_-tkZb2RKNt0zRnn80jP8KAd-nBt4jPhsQ6SRu1usbtBh9N5VMJaicmoajYgsOpq97If8ViJu5ENlPztH3pGRAUwPow961q0BI87-GDcmB6-C26js9FVaGSwHPxYKvydHihyfO2dP0ZQFVe_31d2JhPqH0zV9qtZ2T3wZyzrtH-JT4pkrdv5bE6r7WoGD5SWxqOZHXqF5yQAB9GAHmr-sznm18EP2HkB14he4WxYbFnMYhNpgfo4QgR4CnNWF_kb2rM3GAy6AK88Is-mHrNTzvzB3piMVr06BcSWy3a882QV3581JvjfFJh-OazPX_8iYvy0lggmjaIRNlkA
refreshToken: null
idToken: null
tokenType: Bearer
expiresIn: 86400
}
If I were to use “openid” rather than “openid profile” as scope, it does return the idToken.
I have setup Rules to return customized claims in the ID Token under my own namespace. If I just have “openid” as the scope, I can see my customized claims appear as expected in the ID_Token, as well as response from /userinfo endpoint.