How to include user details in Access Token JWT Payload while implementing Auth Code Flow with PKCE with auth0?

huangapple go评论66阅读模式
英文:

How to include user details in Access Token JWT Payload while implementing Auth Code Flow with PKCE with auth0?

问题

I'm trying to work through implementing an Auth Code Flow with PKCE in a personal web application, and I'm stuck, so any help would be appreciated. The goal of the website is for a user to login (with OAuth2 from Auth0), and perform CRUD operations on some records which only the user has access to. The app is a React SPA with an express backend. The flow I'm trying to implement right now is:

  1. User authenticates via frontend: Login via OAuth to retrieve Auth Code
  2. We exchange Auth Code for an access token, set it as the Authorization header Bearer token
  3. On the client, user creates a resource via POST call to server: On the backend, we validate the access token.
  4. On the backend, we determine WHO the resource is; this is critical because I need to know which records belong to this user (this is basically where I'm stuck)
  5. Record is created with that user's email_address as one of the columns

Right now the only way I know how to implement 4. is by having my server call this GET /userinfo API from auth0: https://auth0.com/docs/api/authentication#user-profile. This allows me to get the email from the user's profile, but the HTTP call sometimes takes quite long (~500ms), and it just feels wrong to have to do this for every CUD operation.

I thought there would be a way to have user information included as a claim in the Access Token. I tried fiddling around with different scope values in my request for the Auth token, but none of them change the properties in the JWT's payload.

I would greatly appreciate anyone who takes the time to read this and perhaps provides a solution, thanks.

英文:

I'm trying to work through implementing an Auth Code Flow with PKCE in a personal web application, and I'm stuck, so any help would be appreciated. The goal of the website is for a user to login (with OAuth2 from Auth0), and perform CRUD operations on some records which only the user has access to. The app is a React SPA with an express backend. The flow I'm trying to implement right now is:

  1. User authenticates via frontend: Login via OAuth to retrieve Auth Code
  2. We exchange Auth Code for an access token, set it as the Authorization header Bearer token
  3. On the client, user creates a resource via POST call to server: On the backend, we validate the access token.
  4. On the backend, we determine WHO the resource is; this is critical because I need to know which records belong to this user (this is basically where I'm stuck)
  5. Record is created with that user's email_address as one of the columns

Right now the only way I know how to implement 4. is by having my server call this GET /userinfo API from auth0: https://auth0.com/docs/api/authentication#user-profile. This allows me to get the email from the user's profile, but the HTTP call sometimes takes quite long (~500ms), and it just feels wrong to have to do this for every CUD operation.

I thought there would be a way to have user information included as a claim in the Access Token. I tried fiddling around with different scope values in my request for the Auth token, but none of them change the properties in the JWT's payload.

I would greatly appreciate anyone who takes the time to read this and perhaps provides a solution, thanks.

答案1

得分: 1

解决方案是向我的访问令牌添加一个包含电子邮件的自定义声明:

https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims

英文:

Solution was to add a custom claim to my Access Token containing the email:

https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims

huangapple
  • 本文由 发表于 2023年5月15日 04:35:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/76249567.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定