Incomplete access token

I think you’re confusing access token and ID token.

  • The token on top is an access token.
  • The token at the bottom is an ID token.

These are two different things.

You can use an access token (with scopes openid profile email) to get the same info as they are in an ID token by calling the /userinfo endpoint of the Authorization Server (in this case Auth0) as per OpenID Connect specification.

See the different token types explained:

Can you show the code (or all request parameters, scopes, requestTypes, etc.) how you’re making that request to the /oauth/token shown first? But I already think I found the problem.
I think you’re missing the openid profile scopes.

Try this request:

POST https://YOUR_TENANT.eu.auth0.com/oauth/token

with the following (note the scopes! You can add your other ones there as well) key/value pairs (x-www-form-urlencoded):

grant_type:password
username:USERNAME
password:PASSWORD
scope:openid profile email
client_id:CLIENT_ID
client_secret:CLIENT_SECRET
audience:YOUR_AUDIENCE

which will give you both access and ID token.

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
    "id_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJ....",
    "expires_in": 86400,
    "token_type": "Bearer"
}

Then you’ll have your ID Token.

By the way: you’re using the so-called “Resource Owner Password” grant. Note that this isn’t the most recommended flow, because less secure than i.e. Authorization Code Grant. The latter should be used if possible.

If you can use redirect-based flows from your app, we recommend using the Authorization Code Flow instead. (Authentication API Explorer)

1 Like