Issue with user information after updating Auth0 Java libraries

anders.johansson · May 26, 2017, 8:51pm

Hi there.

i have been using
auth0-spring-security-api, version: 0.3.2
together with
auth0, version: 0.4.0

In my java backend i have been using the following lines of code to access the id_token and call method to access the user name

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String userName = auth0Client.getUsername((Auth0JWTToken) auth);

getUser name looks like this:

public String getUsername(Auth0JWTToken token) {
final Request<UserProfile> request = client.tokenInfo(token.getJwt());
final UserProfile profile = request.execute();
return profile.getEmail();

when i uppdate to
auth0-spring-security-api, version: 1.0.0-rc.2
together with
auth0, version: 1.1.0

the method i have been using is not valid can some one help me?
i have been trying to access the email with the following snippets

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    	String userName = auth0Client.getUsername(auth.getCredentials().toString());

and

public String getUsername(String token) {
    	Request<UserInfo> request = auth0.userInfo(token);
    	String email;
    	try {
    	    UserInfo info = request.execute();
    	    System.out.println(info.toString());
    	} catch (APIException exception) {
    		System.out.println(exception.toString());
    	} catch (Auth0Exception exception) {
    		System.out.println(exception.toString());
    	}
        return email;
    }

but it gives me a 400 or a 401 error. any suggestions on whats going wrong or how i can do it different?

jmangelo · May 29, 2017, 9:08pm

The previous version was using the tokenInfo method which maps to a specific endpoint that receives an ID token. The updated code now uses userInfo method which maps to the /userinfo endpoint specified as part of OpenID Connect.

The /userinfo endpoint needs to be called with an appropriate access token instead of an ID token. It’s likely that you’re still trying to pass the same token (ID token) as you were passing to the previous method and as such this will result in a failed request.

anders.johansson · May 30, 2017, 12:00am

ok so i have to get an access token sent from the frontend code or is ther a way in the java libary to request access_token from id_token?

jmangelo · May 31, 2017, 6:25pm

It depends on exact characteristics of your application. In general, it’s not recommended to send ID tokens to an API as authorization mechanism so if you’re doing that you may need to consider bigger changes.

anders.johansson · June 2, 2017, 11:11am

Thanks. we swapped the old id_token for access_token so now i have no problem with geting the user information from serverside but i have also implemented the spring security api and before i was able to use the
.authorizeRequests() to make sure that the client that made the request was authorized but that don’t seem to work now any suggestions on what’s going wrong there?