Auth0 Home Blog Docs

.NET Core API Reading Email Address



We have successfully implemented authorization with Auth0 in our application. Our application is an Angular UI with a .NET Core 2.0 API. We followed the Auth0 tutorials and the API is getting the token from the UI. In the API I would like to get the email address for the logged in user. It is apparent that I have not configured the client “SAML Protocol Settings” within Auth0 to pass the email address. I have copied what I have below. What changes do I need to make? Thank you for your assistance.

  "audience": "",
  "mappings": {
    "user_id":     "",
    "email": "",
    "name": "",
    "given_name":  "",
    "family_name": "",
    "upn":         "",
    "groups":      ""
  "createUpnClaim": true,
  "passthroughClaimsWithNoMapping": true,
  "mapUnknownClaimsAsIs": true,
  "mapIdentities": true,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",


I did another search within Auth0 support and found two related links: and

It appears I need to show more code to get my question answered. Within Angular I have the following

auth0 = new auth0.WebAuth({
    clientID: AUTH_CONFIG.clientID,
    domain: AUTH_CONFIG.domain,
    responseType: 'token id_token',
    audience: '',
    redirectUri: `${window.location.origin}`, 
    scope: 'openid email profile'

Earlier I had scope as ‘openid’. I changed responseType to just ‘code’ and then tried ‘token id_token code’. Still no email appearing.


TL;DR: Create a rule to add the extra data you want to your accessToken as namespaced Custom Claims.

function (user, context, callback) {
  const namespace = '';
  context.accessToken[namespace + 'email'] =;
  callback(null, user, context);

If you have time to read, here’s a bit more explanation:

It looks like your frontend is using OAuth/OpenId Connect(OIDC), which is a different protocol from SAML. So just to clarify, the SAML configurations you mentioned initially won’t affect the OAuth flow.

Since you’re looking to enrich a token to be consumed by your API, you’ll want to be using an Access Token. An access_token, is a credential that can be used by an application to access an API (which would be responsible for Verifying the Access Token), whereas an id_token is consumed by the application and used to get user information like the user’s name, email, and so forth, typically used for UI display.

The only user data you should expect to see in the access_token is the sub claim, which is the user_id. However, as the documentation mention:

You can still add custom claims, but they must conform to a namespaced format to avoid possible collisions with standard OIDC claims. Otherwise, it is no longer possible to add arbitrary claims to ID Tokens or Access Tokens.

You can add namespaced claims to the access_token by creating a Rule to add Custom Claims.

I hope this is helpful. Let me know if you have any further questions.

Matt Maddex
Technical Support Engineer


Specifically for .NET Core Claims and my use case, the rule looks like the following:
function (user, context, callback) {

context.accessToken[‘’] =;
if (user.user_metadata !== undefined) {
context.accessToken[‘’] = user.user_metadata.given_name;
context.accessToken[‘’] = user.user_metadata.family_name;

callback(null, user, context);