Using access_tokens and id_tokens together Auth0

As per this article its clear that to secure apis, all we need is the access_token and that is sent with each http request in the request Authorization header(Bearer scheme).

But then auth0 also sends an Id_token that contains information about the user. My confusion is that how do I use this id_token to pass user information to my api. ( I have a spa running front end that authenticates to auth0 and gets these 2 tokens).

I can ofc call the /userInfo end point in my api to get user info. But then wouldn’t this defeat the purpose of the Id tokens?

The ID Token is consumed by the application and the claims included, are typically used for UI display. It was added to the OIDC specification as an optimization so the application can know the identity of the user, without having to make an additional network requests.

So my question is how do I access user profile in my api using id tokens?

I would appreciate someone answered this…

I’m only using Auth0 API, not any of its widgets to keep it lightweight.

I think I have nailed the access_token part by following this guide

But I’m lost as what to do with my id_token. I guess what could work is storing it in browser localStorage, then simply decode it with atob (but not sure how to verify it yet) to get its expiry date that determines isAuthenticated flag and etc.

Would be great if the doc talks more about implementation details of id_token.

Again, hope someone respond :pray: @luis.rudge @jmangelo

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?