Serverside id_token with Auth_0

Question

I'm somewhat confused with the way I am supposed to handle user information on the server side when using Token-Based Authentication.

I'm building a RESTful Single Page App using React and Flask and I'd like to use an authentication provider as Auth0.

The way I see it, this is the user's workflow:

1. Enters email + password on the client side
2. Auth0 confirms this and returns a jwt that is stored in localStorage
3. When the user posts or gets data from my server, the jwt is sent along the request
4. The server checks with Auth0 that this token is valid
5. If this token is valid, then it processes the user's request

What I do not get is how the user's data fits in this pattern, for instance their email address to log a change in my database:

• Is it returned at step 2 (the id_token?) and should be passed along as claims in step 3 ?
• Or should it be fetched at step 4 when the server checks for the received token?

Thanks for your help!

Answer 1

Yes, if you have the default settings for the client in Auth0 this information regarding the user should be inside your id_token. If you use the JWT debugger at jwt.io and paste your id_token into the encoded section, the right hand side will show the contents of your token.

What this basically does is decode the token. You'll have to do the same thing in your application to use the user's name, email, email_verified, ...

A common practice is to decode the token once (in the front end), when the user logs in. Store this information in a global variable so it's usable throughout your application.

For use in the backend (Python), simple decode decode the token with pyjwt

You'll probably want to use the jsonwebtoken library for handling the decoding in the frontend.