`/userinfo` endpoint in OIDC returns `updated_at` field as a string

glawler · May 13, 2021, 6:03pm

Hello,

I’ve added an application to my auth0 tenent so I can verify identities via a third-party app. That is, I’m using Auth0 and the database of users I have in my Auth0 tenant to verify users via OIDC. (The third party app is Ory’s Kratos.)

As part of this, I’m hitting the /userinfo endpoint. The json returned contains things I expect and want, but the updated_at field given back is an RFC3339 formatted string instead of an int64. I expect an int64 as that’s in the standard and is documented by Auth0 itself here: Authentication API Explorer. The scope I’m requesting is openid profile email.

Here’s a sample of what I get back from Auth0:

{                                                           
  "sub": ...,                  
  "nickname": ...,                                    
  "name": ...,                                
  "picture": ..., 
 "updated_at": "2021-05-11T21:13:25.566Z",                  
 "email": ...,                                
 "email_verified": true                                     
}

This matters to me as I’m unmarshalling that JSON into a Claims struct that assumes updated_at is an int64.

Is this a bug in the auth0 implementation?

Thanks.

edit: Here’s an example in the Auth0 docs which shows the updated_at field as the RCF3339 formatted string: Auth0.js v9 Reference What am I missing about the context of the differences in the /userinfo endpoints here?

stephanie.chamblee · May 14, 2021, 12:14pm

Hi @glawler,

You are right about the format of updated_at. It is a known issue that has been challenging to fix due to backward compatibility issues. You can read more about the context behind this in this related topic:

If your tenant is on a paid plan, you can open a support ticket to update this behavior so that an integer is returned for updated_at. Otherwise, you can send me a DM with your tenant name and I can request that update for your tenant.

system · May 29, 2021, 3:01pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
/userinfo response: API doc and actual response mismatch Help management-api , users	0	92	June 23, 2024
OIDC ID Token claim updated_at violates OIDC specification, breaks RP implementations Help	5	7835	September 2, 2019
OIDC-conformant error Help auth0 , oidc-conformant , python	4	2944	February 13, 2021
updated_at claim has wrong type Help claims , openidconnect	1	4405	March 2, 2018
Missing profile from userinfo endpoint Help auth0 , userinfo	4	4517	January 9, 2020

`/userinfo` endpoint in OIDC returns `updated_at` field as a string

Related topics