Incomplete access token

olav · July 19, 2019, 2:48pm

Hi,

When I make a call to /oauth/token with username and password I get an access token that, once decoded, contains something like this:

{
  "iss": "https://...auth0.com/",
  "sub": "auth0|...",
  "aud": "https://...auth0.com/api/v2/",
  "iat": 1563474178,
  "exp": 1563560578,
  "azp": "...",
  "scope": "email read:current_user update:current_user_metadata delete:current_user_metadata create:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials update:current_user_identities",
  "gty": "password"
}

When I log in to our website using the integrated OAuth web form, I get an access token that contains much more information, like this:

{
  "https://.../roles": [
    "employee"
  ],
  "email": "...",
  "name": "...",
  "picture": "...",
  "nickname": "...",
  "last_password_reset": "2019-01-25T15:21:38.953Z",
  "app_metadata": {
    "roles": [
      "employee"
    ]
  },
  "roles": [
    "employee"
  ],
  "email_verified": true,
  "clientID": "...",
  "updated_at": "2019-07-17T18:43:19.910Z",
  "user_id": "auth0|...",
  "identities": [
    {
      "user_id": "...",
      "provider": "auth0",
      "connection": "Username-Password-Authentication",
      "isSocial": false
    }
  ],
  "created_at": "2018-09-17T12:43:07.133Z",
  "https://.../roles": [
    "employee"
  ],
  "iss": "https://.../",
  "sub": "auth0|...",
  "aud": "...",
  "iat": 1563389000,
  "exp": 1563561800
}

How can I make the /oauth/token request return a “complete” access token? I’ve tried everything in the scope (email openid profile offline_access), and the id token returned when using profile includes some of that info, but I want the full access token, not a split up thing.

Thanks!

mathiasconradt · July 19, 2019, 3:22pm

I think you’re confusing access token and ID token.

The token on top is an access token.
The token at the bottom is an ID token.

These are two different things.

You can use an access token (with scopes openid profile email) to get the same info as they are in an ID token by calling the /userinfo endpoint of the Authorization Server (in this case Auth0) as per OpenID Connect specification.

See the different token types explained:

Can you show the code (or all request parameters, scopes, requestTypes, etc.) how you’re making that request to the /oauth/token shown first? But I already think I found the problem.
I think you’re missing the openid profile scopes.

Try this request:

POST https://YOUR_TENANT.eu.auth0.com/oauth/token

with the following (note the scopes! You can add your other ones there as well) key/value pairs (x-www-form-urlencoded):

grant_type:password
username:USERNAME
password:PASSWORD
scope:openid profile email
client_id:CLIENT_ID
client_secret:CLIENT_SECRET
audience:YOUR_AUDIENCE

which will give you both access and ID token.

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJ....",
    "expires_in": 86400,
    "token_type": "Bearer"
}

Then you’ll have your ID Token.

By the way: you’re using the so-called “Resource Owner Password” grant. Note that this isn’t the most recommended flow, because less secure than i.e. Authorization Code Grant. The latter should be used if possible.

If you can use redirect-based flows from your app, we recommend using the Authorization Code Flow instead. (Authentication API Explorer)

olav · July 19, 2019, 4:29pm

Hi,

Thanks for the answer. Let me see if I can explain myself better. When doing the login using the web form I get an access token that, once decoded, contains the information of the access token and the ID token.

If I use the access token I get on /oauth/token with our API, it doesn’t work because the API uses some of the fields of the ID token that are embedded in the access token from the web form. That’s why I need to get an access token that includes the information of the ID token throught /oauth/token.

Thanks,

mathiasconradt · July 19, 2019, 5:24pm

Hi @olav

When doing the login using the web form I get an access token that, once decoded, contains the information of the access token and the ID token.

Auth0 doesn’t embed an ID Token or ID token information into an access token, unless that’s been additionally implemented via the Rules engine. Note that the above second token in your first post is NOT an access token, is entirely just an ID token.

You should be able to check it in the reponse: the response you’re getting back from Auth0 usually looks like I’ve posted

authResult: {
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJ....",
     ...
}

so are you sure you are referring to the token that is in access_token and not in id_token.

Would be really helpful if you could post the raw response body you’re getting back from the server after the /oauth/token request, just to be sure.

the login using the web form

Which web form are you referring to? I assume this is something within your client application?

vintg · October 4, 2019, 7:23pm

how do we get last_password_reset in the /userinfo response body?

labs16grantly · December 14, 2019, 12:58am

Hello Olav,

How did you get your scope to return the string “email read:current_user…”?
I am having an issue where I am only getting back “openid profile email”.

dan.woda · May 2, 2023, 2:28pm

A post was split to a new topic: JWT Missing Payload