5

I'm implementing Auth0 with my ASP.NET Core 2.1 app with React front end.

After the user authenticates, I do get both an access_token and an id_token. I'm clear that I send the access_token in the header to gain access to my API methods but I'm not sure how to handle the id_token.

Do I place the id_token in the header as well? If so, what key do I use for it? I'm sending the access_token with the key Authorization -- see below. enter image description here

Not sure how to send the id_token and would appreciate some pointers on this. Thanks.

Sam
  • 26,817
  • 58
  • 206
  • 383
  • 1
    You would use `id_token` to construct the User object in SPA application and `access_token` is used to access the API. So, you don't put the `id_token` in the header. – sakura-bloom Sep 05 '18 at 22:35
  • I would then need to decipher the `id_token` to read the claims and get user info. Do I use a library for that? – Sam Sep 05 '18 at 22:37
  • 1
    Yes, there would normally be a library for that. I haven't used Auth0 specifically, but this might help: https://auth0.com/docs/libraries/auth0js/v9 – sakura-bloom Sep 05 '18 at 22:39
  • 1
    The library might help with things like constructing user object and refreshing the access token. – sakura-bloom Sep 05 '18 at 22:42
  • 1
    Just went over the Auth0 documentation and looks like I make a call to get user profile which returns the user object with all the pertinent information. Thank you! – Sam Sep 05 '18 at 22:53
  • Since you just posted comments, I up-voted them but if you post your response as an answer, I'll accept it so that you can get credit for your help. Thanks again! – Sam Sep 05 '18 at 22:54

1 Answers1

2

You would use id_token to construct the User object in SPA application and access_token is used to access the API. So, you don't put the id_token in the header.

There is a JavaScript library for Auth0 that can help with authentication/authorization tasks: Auth0.js.

The library may help with constructing the user object and refreshing the access token.

sakura-bloom
  • 4,524
  • 7
  • 46
  • 61
  • Or in other words you use the `id_token` to communicate back to the Auth0 API. – Brad Sep 05 '18 at 23:33
  • I have a follow up question, described here in a separate question: https://stackoverflow.com/questions/52230383/sending-user-info-along-with-access-token – Sam Sep 07 '18 at 23:11