.NET Core API Reading Email Address

gerald.bauer · February 19, 2018, 11:19pm

We have successfully implemented authorization with Auth0 in our application. Our application is an Angular UI with a .NET Core 2.0 API. We followed the Auth0 tutorials and the API is getting the token from the UI. In the API I would like to get the email address for the logged in user. It is apparent that I have not configured the client “SAML Protocol Settings” within Auth0 to pass the email address. I have copied what I have below. What changes do I need to make? Thank you for your assistance.

{
  "audience": "https://notmyrealaudience.com/saml",
  "mappings": {
    "user_id":     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
    "given_name":  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
    "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
    "upn":         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
    "groups":      "http://schemas.xmlsoap.org/claims/Group"
  },
  "createUpnClaim": true,
  "passthroughClaimsWithNoMapping": true,
  "mapUnknownClaimsAsIs": true,
  "mapIdentities": true,
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
  "nameIdentifierProbes": 
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  ]
}

gerald.bauer · February 22, 2018, 12:08am

I did another search within Auth0 support and found two related links:
Unable to obtain email address from authenticated user - Auth0 Community and How to access user email address? - Auth0 Community

It appears I need to show more code to get my question answered. Within Angular I have the following

auth0 = new auth0.WebAuth({
    clientID: AUTH_CONFIG.clientID,
    domain: AUTH_CONFIG.domain,
    responseType: 'token id_token',
    audience: 'https://services.mycompanyname.com',
    redirectUri: `${window.location.origin}`, 
    scope: 'openid email profile'
  });

Earlier I had scope as ‘openid’. I changed responseType to just ‘code’ and then tried ‘token id_token code’. Still no email appearing.

mmaddex · April 30, 2018, 4:48pm

TL;DR: Create a rule to add the extra data you want to your accessToken as namespaced Custom Claims.

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.accessToken[namespace + 'email'] = user.email;
  callback(null, user, context);
}

If you have time to read, here’s a bit more explanation:

It looks like your frontend is using OAuth/OpenId Connect(OIDC), which is a different protocol from SAML. So just to clarify, the SAML configurations you mentioned initially won’t affect the OAuth flow.

Since you’re looking to enrich a token to be consumed by your API, you’ll want to be using an Access Token. An access_token, is a credential that can be used by an application to access an API (which would be responsible for Verifying the Access Token), whereas an id_token is consumed by the application and used to get user information like the user’s name, email, and so forth, typically used for UI display.

The only user data you should expect to see in the access_token is the sub claim, which is the user_id. However, as the documentation mention:

You can still add custom claims, but they must conform to a namespaced format to avoid possible collisions with standard OIDC claims. Otherwise, it is no longer possible to add arbitrary claims to ID Tokens or Access Tokens.

You can add namespaced claims to the access_token by creating a Rule to add Custom Claims.

I hope this is helpful. Let me know if you have any further questions.

Matt Maddex
Technical Support Engineer

gerald.bauer · April 30, 2018, 5:52pm

Specifically for .NET Core Claims and my use case, the rule looks like the following:
function (user, context, callback) {

context.accessToken[‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress’] = user.email;
if (user.user_metadata !== undefined) {
context.accessToken[‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname’] = user.user_metadata.given_name;
context.accessToken[‘http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname’] = user.user_metadata.family_name;
}

callback(null, user, context);
}

Topic		Replies	Views
Getting a user's email from an access token Help configuration , application	6	7022	October 20, 2023
How to identift a user in my .net Core Api? Help angular , net-core , identity	2	7256	April 16, 2019
Cannot see userinfo in Api endpoint Help authentication-api , jwt , auth0 , api , login	9	8984	April 16, 2019
Unable to obtain email address from authenticated user Help .net , userinfo , email	4	8696	March 2, 2018
Email is not a part of the scope within User.Identity.Claims in API Help auth0 , api	7	3307	October 26, 2021

.NET Core API Reading Email Address

Related topics