0

While starting to integrate auth0, I came across this article So its clear that to secure apis, all we need is the access_token and that is sent with each http request in the request Authorization header(Bearer scheme).

But then auth0(and possibly other providers) also send an Id_token that contains information about the user. My confusion is that how do I use this id_token to pass user information to my api. ( I have a spa running front end that authenticates to auth0 and gets these 2 tokens).

I can ofc call the userInfo end point in my api to get user info. But then wouldn't this defeat the purpose of the Id tokens?

The ID Token is consumed by the application and the claims included, are typically used for UI display. It was added to the OIDC specification as an optimization so the application can know the identity of the user, without having to make an additional network requests.

So my question is how do I access user profile in my api using id tokens?

rahulserver
  • 10,411
  • 24
  • 90
  • 164

2 Answers2

0

"My confusion is that how do I use this id_token to pass user information to my api" for that confusion, you just pass your JWT token. while generating JWT token, you need to add user information in payload part in JWT token. When your api get the JWT token, just check your JWT token is correct or not by the use of secret key and if correct, you can get data. How to get is just go from that JWT Authentication for Asp.Net Web Api

J X J
  • 78
  • 1
  • 9
  • The jwt token is coming from auth0 so i am not "generating" it. Also my question is exactly HOW do i send it to server? (via some header or otherwise) – rahulserver Nov 13 '18 at 04:20
  • So which sever ? if for server is your local sever, u can pass from header and can get from server. if the server is azure or something , you need to follow their documentation. normally they give api and request their api with that token and the API will give Response. In that Response, there is user information. – J X J Nov 13 '18 at 06:32
0

ID token is sent from the authorization server as a part of OIDC protocol. The purpose of this is to authenticate the user to your client application (SPA in this case). i.e. to let your API or the application know which particular user authorized the client to access a certain resource on its behalf.

Best way to use the ID token is by decoding and verifying it using a library. This will allow you to verify the signature of the token and any other claim that is included in the token (you can add custom claims to the tokens). Validation of those claims can be used to determine identity of the user and match with the user profile in your API. You will have to check the documentation related to your IdP(auth0) to figure out how to add new claims that are used by the user profile in your API.

RrR-
  • 1,251
  • 3
  • 15
  • 32