SPA gets user information as detailed in scope, but nowhere to be found in API

Hi, this is probably some misconfiguration on my part, but can’t figure out what’s wrong.

I have a single-page application written in Vue3, which authenticates with Auth0, and then calls an API built with Spring Boot and okta-spring-boot-starter. It works well - the SPA can call the API with the access token we get.

However! While I can see that the user information as specified in the scope is available on the front end in the SPA (such as name and email address), I can’t figure out how to get this information in the API application.

The audience when getting the token in the frontend is set to the API identifier, and the same audience is configured in the API application.

Any ideas? I feel like I’m going in circles here.

TIA

  • List item

Hello,

The user information in the frontend is pulled from the ID Token, whereas the token sent to the API is the Access Token.

As the name implies, the ID Token contains information about the user’s identity. While the Access Token contains information about the user’s access. Typically, the latter does not contain information about the user’s identity, but that does not mean it’s not possible (it’s just not provided by default)

If you want to get access to profile information in the API through the Access Token, you can either do:

Here’s a basic example on how to add the information to the access token using an action:

exports.onExecutePostLogin = async (event, api) => {
    if (event.authorization) {
      api.accessToken.setCustomClaim("given_name", event.user.given_name);
      api.accessToken.setCustomClaim("family_name", event.user.family_name);
      api.accessToken.setCustomClaim("email", event.user.email);
    }
};

The above should ensure the Access Token has 3 new claims, containing the corresponding values which you can then retrieve in any API receiving that access token.

Thanks for the quick reply!

Well, I thought this was how it was done, and had implemented a call to the /userinfo endpoint. Turns out my code was wrong, and it was a minor change to fix it!

Thanks for your help :slight_smile:

Here’s the code for the next person that comes looking:

 fun getUserInfo(authentication: org.springframework.security.core.Authentication?): String {
        val jwtAuthToken = authentication as JwtAuthenticationToken
        val accessToken = jwtAuthToken.token.tokenValue

        // Create headers with the Bearer token
        val headers = HttpHeaders()
        headers.setBearerAuth(accessToken)

        // Use RestTemplate to call the userinfo endpoint
        val restTemplate = RestTemplate()
        val entity: HttpEntity<Any> = HttpEntity(headers)
        val response = restTemplate.exchange(
            "https://<whatever>>.auth0.com/userinfo",
            HttpMethod.GET,
            entity,
            String::class.java
        )
        return response.body
    }
1 Like