Currently have a spa application hitting a rails api but on every request where i need to fetch the user data I am supplying the auth0_id from the front end. Is this ok practice or should i be getting the auth0_id when I decode the jwt token? Or am i missing something else?
Take a look at this example:
If I understand you correctly, the answer is yes. Please take a look at the implementation and make sure it fits your case.
@dan.woda Thanks for the response, the documentation says nothing about how to access an auth0 user in your own db. this simply tells you how to log someone in.
In my case like I explained above, i am passing a token and auth0_id to my api to check for the user in my api. Is passing the auth0 id with the auth_token a bad practice? Should i get the auth0_id from decoding the token on the api ?
I am referring to the following line:
One of the standard JWT claims is the
subclaim which identifies the principal that is the subject to the claim. In the case of the Implicit Grant flow this claim will contain the user’s identity, which will be the unique identifier for the Auth0 user. You can use this to associate any information in external systems with a particular user.
sub is going to be the user id in this case. You can also add a custom claim if you wanted to use a different identifier such as email address. Since you are already sending the user id in the token I don’t think that would be bad practice per se, but it is redundant.
Let me know if I am misunderstanding something.
Got it thanks, so it would be “better” practice to just send the jwt and pull the id from there on the api?
Yes, this would be the suggested approach.