Proper way to use Auth0 with Java Servlets

Hello, i had a project working with MVC Auth Commons 0.1.2 and 3.4.0 (which is not maintained anymore) that provided methods like:

final Auth0User user = SessionUtils.getAuth0User(req);

and servlets and filters like


Which allowed to me to get user info as an object after building authorization URL, receiving the callback and tokens.

But now, according to the Java QuickStart ( and Auth Java MVC Commons ( only show how to get the tokens after callback:

// src/main/java/com/auth0/example/

public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
handle(req, res);

public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
handle(req, res);

private void handle(HttpServletRequest req, HttpServletResponse res) throws IOException {
try {
// Parse the request
Tokens tokens = authenticationController.handle(req, res);
SessionUtils.set(req, “accessToken”, tokens.getAccessToken());
SessionUtils.set(req, “idToken”, tokens.getIdToken());
} catch (IdentityVerificationException e) {

My question is, how can i get the user metadata as an object like before? The only way i found it worked was using a thirdparty lib like this one:

This takes care of getting userinfo metadata and validate the nonce, as well as saving this info at session level.

Something like this:

	private Auth0User fetchUser(Tokens tokens) {
	Resty resty = createResty();

	String userInfoUri = getUserInfoUri(tokens.getAccessToken());

	try {
		JSONResource json = resty.json(userInfoUri);
		return new Auth0User(json.toObject());
	} catch (Exception ex) {
		throw new IllegalStateException("Cannot get User from Auth0", ex);

private String getTokenUri() {
	return getUri("/oauth/token");

private String getUserInfoUri(String accessToken) {
	return getUri("/userinfo?access_token=" + accessToken);

private boolean isValidState(HttpServletRequest req) {
	return req.getParameter("state")

So, is this supposed to be used like this? or is there an official way to get the user info and validate nonces?

Thank you so much in advance.