Auth0 Home Blog Docs

Using access_tokens and id_tokens together Auth0

jwt
auth0
login
#1

As per this article its clear that to secure apis, all we need is the access_token and that is sent with each http request in the request Authorization header(Bearer scheme).

But then auth0 also sends an Id_token that contains information about the user. My confusion is that how do I use this id_token to pass user information to my api. ( I have a spa running front end that authenticates to auth0 and gets these 2 tokens).

I can ofc call the /userInfo end point in my api to get user info. But then wouldn’t this defeat the purpose of the Id tokens?

The ID Token is consumed by the application and the claims included, are typically used for UI display. It was added to the OIDC specification as an optimization so the application can know the identity of the user, without having to make an additional network requests.

So my question is how do I access user profile in my api using id tokens?

#2

I would appreciate someone answered this…

I’m only using Auth0 API, not any of its widgets to keep it lightweight.

I think I have nailed the access_token part by following this guide https://auth0.com/docs/quickstart/backend/nodejs/01-authorization

But I’m lost as what to do with my id_token. I guess what could work is storing it in browser localStorage, then simply decode it with atob (but not sure how to verify it yet) to get its expiry date that determines isAuthenticated flag and etc.

Would be great if the doc talks more about implementation details of id_token.

Again, hope someone respond :pray: @luis.rudge @jmangelo