Auth0 Home Blog Docs

/userInfo returns incomplete information if logged in passing audience for an API

api
userinfo
audience
authorization

#1

Hello!

I login with AuthLock 10.18 and Authorization Code Grant flow, specifying my own audience (https://thisIsMyTest) and the scopes I want.

new Auth0Lock('@(Model.ClientId)',
            '@(Model.Domain)',
            {
                container: 'root',
                auth: {
                    redirectUrl: '@(new Uri(Request.Url, Url.Content("~/LoginCallback.ashx")).ToString())',
                    responseType: 'code',
                    params: {
                        audience:'https://thisIsMyTest',
                        scope: 'openid email name picture',
                        passwordExpiredUrl: '@Url.Action("PasswordExpired", "Account", null, Request.Url.Scheme)'

                    }
                },
                language: '@Thread.CurrentThread.CurrentCulture.TwoLetterISOLanguageName',
                forgotPasswordLink: '@Url.Action("ResetPassword")',
            });

I Receive a code and exchange it for a token in my LoginCallback.ashx. This token confirms I can access the userInfo endpoint:

 {
   "iss": "https://<my-domain>/",
   "sub": "<Auth0id>",
   "aud": 
     "https://thisIsMyTest",
     "https://<my-domain>/userinfo"
   ],
   "azp": "pr1l6f6GTRrIsa5VSHdCYxlzvZRN5Trb",
   "exp": 1499873942,
   "iat": 1499787542,
   "scope": "openid email name picture"
 }

Now, I if I use the access token to query the /userinfo endpoint this is the response I get, which clearly doesn’t contain all I want:

 {
   "sub": "<auth0id>",
   "email": "mangel@mymail.ie",
   "email_verified": true
 }

However, if I perfom the initial login exactly the same but commenting out the audience line, that is without specifying any audience, and use the short access_token returned (16 chars, something like this “hhbhGB-KPnlddGAN”). Then the response actually contains everything I want, but of course, I cannot invoke my APi with this token since the audience was not specified.

{
   "given_name": "Miguel",
   "family_name": "Muñoz",
   "email": "mangel@<mymail>.ie",
   "picture": "<url>",
   "nickname": "mangel",
   "last_password_reset": "2017-06-23T15:47:14.767Z",
   "name": "mangel@<mymail>.ie",
   "app_metadata": {
     "isActive": true
   },
   "isActive": true,
   "email_verified": true,
   "user_id": <auth0id>,
   "clientID": "<clientId",
   "identities": 
     {
       "user_id": "<id>",
       "provider": "auth0",
       "connection": "Username-Password-Authentication",
       "isSocial": false
     }
   ],
   "updated_at": "2017-07-11T15:47:53.289Z",
   "created_at": "2017-06-23T15:44:00.201Z",
   "sub": "<auth0Id>"
 }

Any explanation for this? Anything that I am missing? I would expect the 1st path to return exactly the same information than the second path when calling the /userInfo endpoint.

Thanks!


#2

The API Authorization features (i.e passing the audience parameter) invoke the new OIDC conformant flows in Auth0. A list of OIDC standard claims can be found here:

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

Some claims returned by the non-OIDC flow (such as app_metadata) will not be returned when using the OIDC conformant flow. If you’d like to return custom claims, this can be done through Rules:

https://auth0.com/docs/rules/current#api-authorization-add-claims-to-access-tokens


#3

Thanks for your reply prashant.

I’m sorry but I don’t see how this applies to my problem. If you watch the scopes I’m asking for I’m only asking for picture, name and email.
“scope”: “openid email name picture”

Those values are listed in the standards OIDC claims link you pasted there but I am still I’m not receiving all of them.


#4

Here Is the answer to my question in a post from @amaan.cheval :
https://community.auth0.com/questions/62/what-is-the-correct-way-to-add-custom-claims-to-id

I was using the new Api features but my client was not set like OIDC-Conformant. Then the scope I was passing weren’t working as expecting.

Now I went to:
Clients -> Settings -> Advanced Settings -> OAuth and set my client as OIDC-Conformant and the result from /userinfo endpoint was correct.

Maybe that should be clearer in the documentation from the authentication flows. Just saying.

Thank you!


#5