To get userInfo from token springboot

Help
,
1

I am creating an application with spring boot as backend and react as frontend with Auth0 I have exactly followed the quickStart. I am passing the token with user info(added the userInfo through rules ) as header. In the backend I need the user info to set the userId of the user in the local db. Whenever I try I am getting UserPrinciple as null in the backend. From my understanding(I read somewhere) that the userInfo will be automatically configured in the UserPrinciple when we use @AuthenticatonPrinciple. Can anyone help me with this? Thank you.

2

Hey there @Account123 !

Do you mind sharing the quickstart you’re working off as well as the rule mentioned? The additional context may help digging into this a bit deeper.

Thanks!

4

I followed this tutorial to set up the react frontend Auth0 React SDK Quickstarts: Add Login to your React App and this for calling Auth0 apis in react Auth0 React SDK Quickstarts: Call an API and this for springboot backend Auth0 Spring Boot API SDK Quickstarts: Authorization. In the backend I will be receiving the token from the headers which will contain id and few user information which when authenticated(authentication is happening) will automatically set to UserPrinciple by springboot( from what I read ) , but whenever I try to get the UserPrinciple its values are always null.

6

Hi Team :wave:

I’m not a Spring Boot specialist, so probably won’t be able to answer your question directly. But I do have a couple of observations on the conversation here so far that I’d like to share (in no particular order):

  • In the initial comment (To get userInfo from token springboot) @Account123 mentions adding user info information to the token via a Rule. I don’t know what information is being added here, but I suspect it is one or more (custom) claims, right? One should be careful not to pollute tokens with (custom) claims that may contain security or even PII sensitive information. Particularly if those tokens are being used in a front-end context (such as the React context mentioned).

  • OAuth 2 defines the /userinfo endpoint, which typically provides access to user information from a backend context via something like a POST request. This prevents the need to pollute tokens with (custom) claim information that could be considered security or even PII sensitive in nature; it also honours any consent provided by a user for specific scope claims.

  • The /userinfo endpoint is well defined and typically delivers information in a structured and well-defined format. I suspect that Spring Boot is probably expecting information in a structured and well-defined format, and won’t be able to just decode information arbitrarily added to a token via one or more (custom) claims.

  • The /userinfo endpoint in Auth0 (Okta CIC) provides an implementation in line with the OAuth 2 spec for obtaining user information. As the docs say, you will need to call this endpoint with an Auth0 provided Access Token; any Access Token generated by Auth0 can typically be used. Auth0 generated access tokens currently support /userinfo as an endpoint audience, irrespective of whatever custom audience may also be requested. By default Auth0 will typically return an access token for the /userinfo endpoint if no custom audience is specified on a call to /authorize or the like.

Hope this helps :slight_smile:

1 Like
7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.