We use a rule which augments our access_tokens with some information, that we then use with our internal system.
And this works with passwordless accounts.
However, the access tokens we obtain when performing the login above, or later, when requesting a new access_token using the refresh_token, are naked. In fact: worse than naked.
I am still able to use them as bearer tokens to query endpoints like /userinfo but they are short, and they don’t appear to include app_metadata.
Hi @argo , it looks like you are getting an opaque token because you are not specifying an audience. When no audience is provided, it will default to an opaque token for calling /userinfo
I would recommend setting up a custom API in Auth0 so you can use its identifier as an audience, this will give you a JWT token instead of the opaque token. This behaviour is documented here:
You can then use Actions to add app_metadata to the tokens issued, e.g. if I wanted to add a user’s favourite_colour which is stored in their app_metadata to the access token, the action would look something like:
Access tokens issued with passwordless authentication have two audiences associated with them; https://<tenant-default-domain>/api/v2 (management api), and https://<tenant-default-domain>/userinfo
Opaque access tokens only have https://<tenant-default-domain>/userinfo
When using the PHP SDK, although I presume that this is not specific to the PHP SDK, if I set the audience to https://<tenant-default-domain>, I get an opaque access token, in my case (because I have enabled it), a refresh token, and a fully fledged id token with all additional claims set.
If I set the audience to https://<custom-api-uri>, I get the access token and refresh token, and this time the access token is fully fledged. But in that case, of course, the access token is not valid against /userinfo.
Because my custom api doesn’t have an endpoint like that.
In my case, I am going to have to go with option A, since I need both the custom claims and the userinfo. I imagine that this behavior could be confusing to some, hence I wanted to leave some notes.