/userInfo returns incomplete information if logged in passing audience for an API


I login with AuthLock 10.18 and Authorization Code Grant flow, specifying my own audience (https://thisIsMyTest) and the scopes I want.

new Auth0Lock('@(Model.ClientId)',
                container: 'root',
                auth: {
                    redirectUrl: '@(new Uri(Request.Url, Url.Content("~/LoginCallback.ashx")).ToString())',
                    responseType: 'code',
                    params: {
                        scope: 'openid email name picture',
                        passwordExpiredUrl: '@Url.Action("PasswordExpired", "Account", null, Request.Url.Scheme)'

                language: '@Thread.CurrentThread.CurrentCulture.TwoLetterISOLanguageName',
                forgotPasswordLink: '@Url.Action("ResetPassword")',

I Receive a code and exchange it for a token in my LoginCallback.ashx. This token confirms I can access the userInfo endpoint:

   "iss": "https://<my-domain>/",
   "sub": "<Auth0id>",
   "azp": "pr1l6f6GTRrIsa5VSHdCYxlzvZRN5Trb",
   "exp": 1499873942,
   "iat": 1499787542,
   "scope": "openid email name picture"

Now, I if I use the access token to query the /userinfo endpoint this is the response I get, which clearly doesn’t contain all I want:

   "sub": "<auth0id>",
   "email": "mangel@mymail.ie",
   "email_verified": true

However, if I perfom the initial login exactly the same but commenting out the audience line, that is without specifying any audience, and use the short access_token returned (16 chars, something like this “hhbhGB-KPnlddGAN”). Then the response actually contains everything I want, but of course, I cannot invoke my APi with this token since the audience was not specified.

   "given_name": "Miguel",
   "family_name": "Muñoz",
   "email": "mangel@<mymail>.ie",
   "picture": "<url>",
   "nickname": "mangel",
   "last_password_reset": "2017-06-23T15:47:14.767Z",
   "name": "mangel@<mymail>.ie",
   "app_metadata": {
     "isActive": true
   "isActive": true,
   "email_verified": true,
   "user_id": <auth0id>,
   "clientID": "<clientId",
       "user_id": "<id>",
       "provider": "auth0",
       "connection": "Username-Password-Authentication",
       "isSocial": false
   "updated_at": "2017-07-11T15:47:53.289Z",
   "created_at": "2017-06-23T15:44:00.201Z",
   "sub": "<auth0Id>"

Any explanation for this? Anything that I am missing? I would expect the 1st path to return exactly the same information than the second path when calling the /userInfo endpoint.


The API Authorization features (i.e passing the audience parameter) invoke the new OIDC conformant flows in Auth0. A list of OIDC standard claims can be found here:

Some claims returned by the non-OIDC flow (such as app_metadata) will not be returned when using the OIDC conformant flow. If you’d like to return custom claims, this can be done through Rules:

Thanks for your reply prashant.

I’m sorry but I don’t see how this applies to my problem. If you watch the scopes I’m asking for I’m only asking for picture, name and email.
“scope”: “openid email name picture”

Those values are listed in the standards OIDC claims link you pasted there but I am still I’m not receiving all of them.

Here Is the answer to my question in a post from @amaan.cheval :

I was using the new Api features but my client was not set like OIDC-Conformant. Then the scope I was passing weren’t working as expecting.

Now I went to:
Clients → Settings → Advanced Settings → OAuth and set my client as OIDC-Conformant and the result from /userinfo endpoint was correct.

Maybe that should be clearer in the documentation from the authentication flows. Just saying.

Thank you!

1 Like