I'm somewhat confused with the way I am supposed to handle user information on the server side when using Token-Based Authentication.
I'm building a RESTful Single Page App using React and Flask and I'd like to use an authentication provider as Auth0.
The way I see it, this is the user's workflow:
jwt
that is stored in localStorage
jwt
is sent along the requestWhat I do not get is how the user's data fits in this pattern, for instance their email address to log a change in my database:
id_token
?) and should be passed along as claims in step 3 ?Thanks for your help!
Yes, if you have the default settings for the client in Auth0 this information regarding the user should be inside your id_token. If you use the JWT debugger at jwt.io
and paste your id_token into the encoded
section, the right hand side will show the contents of your token.
What this basically does is decode the token. You'll have to do the same thing in your application to use the user's name, email, email_verified, ...
A common practice is to decode the token once (in the front end), when the user logs in. Store this information in a global variable so it's usable throughout your application.
For use in the backend (Python), simple decode decode the token with pyjwt
You'll probably want to use the jsonwebtoken
library for handling the decoding in the frontend.