Hello,
I’m building a single page app that makes requests to an API endpoint.
I followed this tutorial and implemented a login screen with auth0.WebAuth in JS.
After a successful login, I attach the access_token to all subsequent requests to my API server.
However, the API server needs to know the roles of the user. The recommendation is to make a request to /userinfo from the server with the passed acces_token in order to get the id_token.
Why can’t I just pass the id_token from the SPA inside the request and use its contents? This way I can avoid unnecessary requests to Auth0.
Thanks,
Edi Buslovich.
Finally, according to the answer here Get user data server side - Auth0 Community
, I created a rule to insert the user roles into the access token:
function (user, context, callback) {
var namespace = 'https://mydomain.com/';
context.accessToken[namespace + 'roles'] = user.app_metadata.roles;
callback(null, user, context);
}