I have generated access token for SPA/web-type application using authorization code flow grant type (with below 2 step process)
- Got the authorization code executing GET /authorize API in browser
- In the postman, executed POST /token API by sending authorization code (from step1); here I got only access token. I do not see ID Token coming along with access token.
I’ve added a rule to include user email into access token payload which is also validated at jwt.io manually.
I’ve sent this access token in the request headers (Authorization Bearer ) to my application API; and my application API authorization is working as expected.
Now, we have a use case to verify user email and scope with custom policies at my application API. So that my application ensures only authorized users can perform certain business activities.
To implement this I need to extract/decode scope and user email from the access token payload (in my application). I was hoping Auth0 might’ve an introspect API (similar to OKTA’s introspect). Going through Auth0 community I learnt that Auth0 seems to be not having the introspect API. As an alternative I’m trying with /userinfo API (passing access token). I’m getting 401 - Unauthorized (invalid credentials) error message.
Can you confirm, going with /userinfo is the right approach here?
if so, how to call /userinfo API proving access token?
Can you help me with the info.