Why is the id_token not exposed in the auth0-spa lib

We have a few SPAs along with backend APIs and we were seeing if we could authenticate with auth0. While we figured out most of what is necessary, thanks to the clear documentation, we still had a few questions.

We tried two things

  1. Login auth0-spa lib

  2. Login with auth0-js lib

We preferred auth0-spa lib as we are using a SPA. I think the recommendation from your docs is to use auth code with redirect and get the token and user details from the methods that you expose. While the library had the method to get the access token, it did not have method to get the id_token. I had to get it from the cache property which is not documented anywhere. We have our own mechanisms to authorize the user and wanted to use auth0 for authentication alone. So we are more interested in getting the id_token. But I saw that the access_token that is being sent is actually retrieved from cache property of the auth client. May I know why is the id_token not exposed. We wanted to send the id_token to the backend API, to do jwt verifications and retrieving user details. But from what I see you just recommended to use access_token. We want to get the id_token too, but not through ‘cache’ property or some other unrecommended ways.

With auth0-js lib we got the access_token and id_token as expected. But the url redirect with id_token and access_token was a part of the url fragment and not to the query param or path directly. I understand that it is not recommended for SPAs and hence the tokens are part of the url fragment.

Could you help us this?

Thanks

Hi @rameshwaranb,

Welcome to the Community!

This is something that I have seen requested before. Currently, you can get the id token claims via getIdTokenClaims, but it will not give you the raw token.

If you would like to give us feedback on the subject you can do that here:

Thanks,
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.