Should I embed information in the JWT ID Token?

Hi, I am in the process of creating af SSO solution for a client. I want to use auth0. My first task is to use it with a Vue frontend with an API backend. I have the basic authentication part up and running.

I was thinking about using the ID Token to embed extra user-specific information, like an organization ID. This ID could then be used on the API side to decide which organization the current principal belongs to, without making any extra calls.

I have read a lot of the articles here but I fail to find something similar so I am suspecting that I am thinking about this in the wrong way.

Now I am considering creating my own database where I can map the sub claim (auth0 user id), to the values I need on the API side.

What do you think? Is this the way to do it?

Kind regards
Thomas

Hey @xtmk

First, don’t pass the ID token to the API, use an access token. An ID token is a statement “this user has successfully authenticated”. An access token is a key to an API. This fits your model better.

And yes, you can add extra information to the access token (or ID token). Auth0 rules let you do this.
You’ll need your org ID put in the user’s app_metadata, then it is straightforward to copy it to the token.

John

Hi John - thank you for your answer.

I have used the quickstart to implement jwt authentication in my web api, which is based on ASP.NET Core. I can see that the front-end sends in a signed JWT, from which the ASP.NET middleware constructs a principal, that claims to be authenticated. When I decode it on jwt.io I can see the claims as well as the permissions that I attach to the API (not the frontend).

What I am trying to say is that I follow the recommendations from the quickstart, so I hope that it is the correct way to do it.

With regards to using a rule, I have tried that and so far failed, but I will give it another go.

Kind regards
Thomas

When I look at the decoding of the bearer token sent from the frontend to the backend it has the following contents:

{
“iss”: “https://…auth0.com/”,
“sub”: “auth0|5f46a07fe71ba00068c89670”,
“aud”: [
“my-api”,
“https://…auth0.com/userinfo”
],
“iat”: 1598950217,
“exp”: 1599036617,
“azp”: “Q49ufre5zwSYb0uAJ8Z7yvkv4EBIpmEj”,
“scope”: “openid profile email”,
“permissions”:
}

My book on OpenID Connect states that access tokens normally are opaque identifiers and not jwt’s so in that sense I am a little worried. On the other hand, the jwt does not contain either name nor email.

From what I have written, I do not know if anyone can verify whether or not the jwt represents an access-token or an ID Token.

Kind regards
Thomas

Ok - I have just managed to learn that it is in fact the access-token that is being sent between the frontend and the backend.

When I look at the request-response between the frontend and the auth0 token endpoint, I can see that the token being used sits in a json structure with the property name of “access_token”.

There is another property called “id_token” which contains a jwt that also has name, email, etc.

Kind regards
Thomas