Using idToken to access internal API

tamlynfm · July 21, 2022, 5:14pm

I’ve got it working now with an access token. For anyone else who comes here:

You need to create a separate Application and API in Auth0.
Then in your mobile app, you set it up with the client ID of the Application but also pass the Identifier (not Id) of the API as the audience. For the react-native-auth0 package I couldn’t find this documented anywhere and I had to trawl through the source code to find the correct way to do it:
```
auth0.webAuth
    .authorize({
      scope: 'openid profile email',
      audience: '<API Identifier>',
    })
```
Now the accessToken is an unencrypted JWT rather than the opaque JWE that you get by default. But it still doesn’t have any useful information in.
In order to get user details in the access token you have to create a Rule in Auth0. Rules are bits of custom JavaScript that run in Auth0 and modify your tokens before issue.

I would still really like to understand why it’s not OK to use the ID token for authentication in an API.

Topic		Replies	Views
Appropriate token usage for 1p webapp Get Help jwt , oidc , access-token , id-token	2	2144	September 27, 2022
Using access_tokens and id_tokens together Auth0 Get Help jwt , auth0 , login	3	3420	September 3, 2019
Access token vs id token usage Get Help	3	3811	August 30, 2019
Clarify the usage of ID token for authenticating to an API you own Get Help	3	5047	May 28, 2019
Confusion around how to use id_token and access_token Get Help id_token , access-token	7	13210	March 2, 2018