SPA gets user information as detailed in scope, but nowhere to be found in API

Vetle · November 9, 2023, 9:30am

Hi, this is probably some misconfiguration on my part, but can’t figure out what’s wrong.

I have a single-page application written in Vue3, which authenticates with Auth0, and then calls an API built with Spring Boot and okta-spring-boot-starter. It works well - the SPA can call the API with the access token we get.

However! While I can see that the user information as specified in the scope is available on the front end in the SPA (such as name and email address), I can’t figure out how to get this information in the API application.

The audience when getting the token in the frontend is set to the API identifier, and the same audience is configured in the API application.

Any ideas? I feel like I’m going in circles here.

TIA

List item

frederik.prijck · November 9, 2023, 9:51am

Hello,

The user information in the frontend is pulled from the ID Token, whereas the token sent to the API is the Access Token.

As the name implies, the ID Token contains information about the user’s identity. While the Access Token contains information about the user’s access. Typically, the latter does not contain information about the user’s identity, but that does not mean it’s not possible (it’s just not provided by default)

If you want to get access to profile information in the API through the Access Token, you can either do:

Call auth0’s API to get the user info from the backend using the provided access token: https://auth0.com/docs/api/authentication#user-profile
Add the required claims to the access tokens using an Action: Auth0 Actions

Here’s a basic example on how to add the information to the access token using an action:

exports.onExecutePostLogin = async (event, api) => {
    if (event.authorization) {
      api.accessToken.setCustomClaim("given_name", event.user.given_name);
      api.accessToken.setCustomClaim("family_name", event.user.family_name);
      api.accessToken.setCustomClaim("email", event.user.email);
    }
};

The above should ensure the Access Token has 3 new claims, containing the corresponding values which you can then retrieve in any API receiving that access token.

Vetle · November 9, 2023, 10:06am

Thanks for the quick reply!

Well, I thought this was how it was done, and had implemented a call to the /userinfo endpoint. Turns out my code was wrong, and it was a minor change to fix it!

Thanks for your help

Here’s the code for the next person that comes looking:

 fun getUserInfo(authentication: org.springframework.security.core.Authentication?): String {
        val jwtAuthToken = authentication as JwtAuthenticationToken
        val accessToken = jwtAuthToken.token.tokenValue

        // Create headers with the Bearer token
        val headers = HttpHeaders()
        headers.setBearerAuth(accessToken)

        // Use RestTemplate to call the userinfo endpoint
        val restTemplate = RestTemplate()
        val entity: HttpEntity<Any> = HttpEntity(headers)
        val response = restTemplate.exchange(
            "https://<whatever>>.auth0.com/userinfo",
            HttpMethod.GET,
            entity,
            String::class.java
        )
        return response.body
    }