使用谷歌身份验证从 Auth0 AccessToken 获取用户电子邮件

Question

I am using Auth0 for Google Authentication for my React App. Login is working successfully and I am getting access token using the getTokenSilently of the auth0-spa-js . But this token do not have user email or name.

const { getTokenSilently } = useAuth0();
getTokenSilently().then((t:any) => {
    //t is the token
});

This has following claims:

{
  "iss": "https://testauth0.auth0.com/",
  "sub": "google-oauth2|<id>",
  "aud": [
    "test1",
    "https://testauth0.auth0.com/userinfo"
  ],
  "iat": 1567615944,
  "exp": 1567702344,
  "azp": "<>",
  "scope": "openid profile email"
}

How can I request email and name to be part of the token? Do I need to pass any parameters to getTokenSilently ?

I will be using this token to call an API and I need the email address. An alternative I see is to use the id that is part of the "sub" claim but email is much easier.

Thank you for your help.

Update I am able to get user info in the API using the userinfo endpoint (part of the aud claim). I would love to avoid this extra call.

Answer 1

You should be able to get the id token via auth0.getIdTokenClaims() . This will have the user profile.

Answer 2

From Google's OpenId Connect documentation ( https://developers.google.com/identity/protocols/OpenIDConnect )

Obtaining user profile information

To obtain additional profile information about the user, you can use the access token (which your application receives during the authentication flow) and the OpenID Connect standard:

To be OpenID-compliant, you must include the openid profile scope in your authentication request.

If you want the user's email address to be included, you can optionally request the openid email scope. To specify both profile and email, you can include the following parameter in your authentication request URI:

scope=openid%20email%20profile

Add your access token to the authorization header and make an HTTPS GET request to the userinfo endpoint, which you should retrieve from the Discovery document using the key userinfo_endpoint. The response includes information about the user, as described in OpenID Connect Standard Claims. Users may choose to supply or withhold certain fields, so you might not get information for every field to which your scopes request access.

There's no way to avoid this extra call as you name it.

Answer 3

Adding to dan-woda 's answer we need to first add the required information in the claims, here in this case to the accesstoken . This can be done using a rule.

eg

function (user, context, callback) {
  context.accessToken["http://mynamespace/user_email"] = user.email;
  callback(null, user, context);
}

Check out the samples given example of adding to idtoken

Answer 4

Adding 'email' to the scopes would do the trick

AuthorizationTokenRequest(
          AUTH0_CLIENT_ID,
          AUTH0_REDIRECT_URI,
          issuer: 'https://$AUTH0_DOMAIN',
          scopes: <String>['openid', 'email', 'profile'],
        ),