I am using a Single Page Application type of application in auth0 and all CORS urls are setup properly.
Upon authorizing using the scope “openid profile”, I am confirming the auth, and receiving a valid JWT which has been signed by auth0 and containing the key “scope” set to “openid profile”. However, when I then contact the /userinfo service using that JWT as Bearer token, I receive only “sub” and “updated_at” fields. I also tried adding the “email” scope and this just adds the “email_verified” boolean without the actual email. I can see all of my user info in the raw JSON tab in the auth0 admin panel, so I know it’s all there. Am I missing something?
Welcome to the Auth0 Community Forum!
Requesting the profile scope should include more claims according to this doc. It sounds like there is a configuration that may be changing things.
If you go to your applications > settings > advanced settings > OAuth, is the OIDC Conformant toggle on?
Yes, we are OIDC conforming.
Even using all 3 scopes “openid profile email” only provides “sub”, “updated_at” and “email_verified” boolean. It’s like 1 scope is only able to give me 1 claim. Or other claims are being wiped on the way out. Do you know why that could be? or where any custom configuration might be?
Can you please DM me a HAR file so I can investigate further?