Passing user data from the initial authentication on to an API all

Hi

I am new to Auth0 and I’m sure I am missing something obvious but having issues related to getting profile information when calling an API.

My aim is to be able to authenticate with Auth0 (with an Auth0 user or a social provider) then pass the basic profile and email claims in the JWT when sending requests to an API.

When doing the initial authentication (scope: “openid profile email”) I am presented with the profile information I need, however when I call

getAccessTokenSilently({scope: "openid profile email"})

I get a accesstoken JWT that is very bare and does not include any of the profile data.

{"iss":"https://xxx.eu.auth0.com/","sub":"google-oauth2|123["http://localhost:3000","https://xxx.eu.auth0.com/userinfo"],"iat":1619047752,"exp":16191300004152,"azp":"S311aHK71RV9qvnfrxNM3ONKqNnaS1k6","scope":"openid profile email"}

  1. Am I doing something unusual and should my process be realigned?
  2. If no to the above then how do I enrich the token with the profile and email data?

Thanks in advance

Hi @OliDow,

Welcome to the Community and to Auth0!

You can use the ID token for user profile, or exchange the access token to the /userinfo endpoint for the user profile.

Depending on where you want this info, you can choose which one of those options suits you.

Hi Dan

Thanks for the quick reply.

I need the user profile information on the API being called.

  1. Am I able to do this exchange client side? Enrich the token sent to the API (second code block in the OP) with the information form the User token?
    or
  2. Would the best practice be to call the /userinfo endpoint you mentioned directly from the endpoint after it is called?

I guess I am just curious of what your the best practice is for getting claims from the initial first time authentication available on API endpoints being called.

Thanks again

The tokens are immutable. If you change anything in it then the signature will no longer match the payload and you cannot validate the token.

You are probably best off calling the /userinfo endpoint to get the user’s profile from your backend API.

This doc does a good job of explaining the differences between the two and their uses.