1

I started from this React sample application from Auth0 and login through Auth0 works fine but does not give me the expected token.

After login the browser localStorage contains an id_token and a profile object. When I decode the id_token I see that the payload contains something like this: 

{
  "iss": "https://mycompany.eu.auth0.com/",
  "sub": "auth0|5821bc27f92ca3261c628a26",
  "aud": "2A8cgDBm86kLCtCNtUMcKPL2G3oqjIdE",
  "exp": 1478755859,
  "iat": 1478719859
}

The profile contains email and lots of other good stuff from the user profile as registered in Auth0.

I need to parse on the token to my API server and therefore I need the attributes from the profile-object to be part of the token. How can I make the id_token contain all these attributes, so that I can parse it in my API-service and store it the first time the user logs in?

As I see it, I cannot use the profile-object found in the browser localStorage as it needs to be signed by Auth0 in order for my API server to trust the information.

I'm also aware that I can use the id_token to make a request from my API server directly to Auth0 to get this additional information, but I just think it would be simpler and more efficient if the information was carried by the token.

Nikola Schou
  • 2,386
  • 3
  • 23
  • 47

2 Answers2

2

Those are the claims included by default in a id_token; it's possible to request other claims to be included by passing a scope parameter with the appropriate value.

See Scopes - Requesting specific claims, for a reference on what you can pass in the scope parameter in order to influence the contents of the id_token.

João Angelo
  • 56,552
  • 12
  • 145
  • 147
0

To add onto João Angelo's answer, you can't request the entire "App_Metadata" object in scope. If there are app specific fields e.g. lang or favorite color, these have to be called out specifically.

Example App MetaData enter image description here

Example call

https://example.auth0.com/authorize
  ?response_type=token
  &client_id=YOUR_CLIENT_ID
  &redirect_uri=http://jwt.io&connection=google-oauth2
  &scope=openid+lang+favoriteColor

There may be additional caveats to the scope parameter, it would be good to ask Auth0 as you run into issues

extraordin
  • 83
  • 1
  • 6