Auth0 Home Blog Docs

User info does not return identities



I’m trying to get a list of linked accounts, but userinfo does not return identities. Here is My token request:

var client1 = new RestClient($"https://{auth0Domain}/oauth/token");
            var request = new RestRequest(Method.POST);
            request.AddHeader("content-type", "application/json");
                new JavaScriptSerializer().Serialize(new
                    response_type = "token id_token",
                    grant_type = "password",
                    username = email,
                    password = password,
                    scope = "openid",
                    client_id = ConfigurationManager.AppSettings"auth0:ClientId"],
                    client_secret = ConfigurationManager.AppSettings"auth0:ClientSecret"],
                    audience = $"https://{auth0Domain}/api/v2/"
                }), ParameterType.RequestBody);
            IRestResponse response = client1.Execute(request);
            var content = new JavaScriptSerializer().Deserialize<dynamic>(response.Content);

It returns id and access tokens and a list of scopes:
openid profile email address phone read:current_user update:current_user_metadata delete:current_user_metadata create:current_user_metadata create:current_user_device_credentials delete:current_user_device_credentials update:current_user_identities

I tried both id and access tokens as a bearer for userinfo request with no luck. Here is the response:

As I understand I need read:current_user_identities scope, but I do not see it on the management dashboard.

What am I doing wrong?


The recommended way to obtain the full information within the user identities array would be to perform a Management API v2 request to the GET /api/v2/users/{id} endpoint using a Management API access token issued through client credentials grant containing the read:users scope and the read:user_idp_tokens if you also required access to IdP tokens. This would give complete access to all user information, however, it also implies that you have a client application able to perform a client credentials grant which excludes public clients like SPA’s and native applications. The reason for this recommendation is that in general the information contained within identities or in the full profile should not be exposed by default in user information endpoint.

Having said that, there are cases where exposing a subset of the identities properties or information derived from the identities array in user information endpoint might make sense. For example, if the client application wants to have a user profile page where it displays a summary of linked accounts then this info needs to be available in a way that every client application (even public clients) can obtain it. The recommendation here would be for you to add custom claims to the ID token in a rule and add only the information you strictly need from the identities array. The custom claims would then be available in the ID token itself and also in a call to the user information endpoint. You might wonder why go over all of this for a similar end result, however, this process is substantially different because it requires an explicit action where you as a developer can make an informed decision about which information you want to expose.