Redirect to /authorize then it callsback with code and state then confusion

I am calling /authorize which redirects to may /callback?code=xxx&state=yyy. I read this page Get ID Tokens

  1. Is the code an id token I can validate without going remote? The libs in that url referenced can’t seem to validate that token since it is not jwt.
  2. Can I get ‘sub’ from this code above(the xxx)? If so, I can skip the call to /userinfo which seems a bit useless as it
  3. The call to /userinfo does not return an identies array with google’s oauth tokens and the docs show that only the management api returns that(seems odd though). Is this true or is docs just missing that field? Currently, when I run, I do not see it returned but perhaps there is config to make it return more?

My GUESS: For highest security, validate the state passed from callback is the same random secure thing AND call /oauth/token and decode the JWT token. If all that is good, we are secure ‘I hope/think’.

I was able to get sub form decoding the jwt after I had the right audience and use that for fetching google’s tokens without using /userinfo now. All signups take 2 calls to auth0 for now :frowning: while I was hoping just one to keep the load fast.

Hi @dean2,

Let me clarify that the code you received is meant to be exchanged for tokens. To do so, you will need to specify the scope=openid in the request and include an audience parameter to get a valid JWT token.

After you have exchanged the code for a token at the /oauth/token endpoint, you should get your Access and ID Token.

If you do not specify the audience parameter, the token will be opaque and can only be used with the /userinfo endpoint.

I recommend reviewing the following doc:

I hope the explanation is clear!