Trusting the id_token sent to API from a SPA


I’m building a single page app that makes requests to an API endpoint.

I followed this tutorial and implemented a login screen with auth0.WebAuth in JS.

After a successful login, I attach the access_token to all subsequent requests to my API server.

However, the API server needs to know the roles of the user. The recommendation is to make a request to /userinfo from the server with the passed acces_token in order to get the id_token.

Why can’t I just pass the id_token from the SPA inside the request and use its contents? This way I can avoid unnecessary requests to Auth0.


Edi Buslovich.

Finally, according to the answer here Get user data server side - Auth0 Community
, I created a rule to insert the user roles into the access token:

    function (user, context, callback) {
      var namespace = '';
      context.accessToken[namespace + 'roles'] = user.app_metadata.roles;
      callback(null, user, context);