Auth0, how do I verify the user on the backend? - auth0

I'm using auth0, I have a front end web-app & a backend api.
On the backend api, I want to get the current users email.
Currently, on the web-app, I have a Access_Token and a Id_Token
The Access_Token is what I need to authenticate for the api, but it does not have the user info that I need (email)
The Id_Token can be decrypted to get the users email
Here is the functionality that I want:
If someone hits
GET /friends
My API will only fetch the friends for the currently authenticated user
What is the best way do this?
The options I thought of so far:
Send both the Access_Token and Id_Token to the API, and decrypt the Id_Token for the user data
Send only the Access_Token, then use the Access_Token on the API to request a new Id_Token from auth0
On the web-app, decrypt the Access_Token, add the email to it, then encrypt

Related

Auth0 - Authorize Auth0 Access Token with grant_type = password in our .net core API

we achieved the below points with Auth0.
We are able to get Management API token with client_id, client_secret, audience & "grant_type":"client_credentials"
We are able to create user/get userinfo with this token.
we are able to get access_token & id_token by "grant_type":"password", with Username & Password.
Till here we are good.
Now Question is, we have our own API which is hosted in AWS, Now we need to Authorize that API with id_token (Considering user-specific Token)
I am able to Authorize with a Management API token, but that is static for all users, I need to authorize my API with a User-Based token when I can also get some claims values, etc.
Thanks.

Use Authentication (different Token) from Collection within Requests in Postman

I try to create a postman collection for my backend service which uses Azure B2C Authentication.
Within my Collection I added Authentication, which works and I can authenticate within my Chrome Browser:
Once I am authenticated and redirected back to Postman it says that an access_token can not be found. I can see that it is in id_token:
Now I created also a Request with Authentication Type oAuth 2.0 where I could select Available Token. But as the token is not within access_token it does not autofill the token. Is there any way to tell Postman that i want to use id_token as access_token within my requests in the collection?
Thanks for your help and feedback
As you saved your token with the name as Azure AD B2C Authentication, for your requests, you can select the Azure AD B2C Authentication from your available tokens.
This will auto-fill the token
I created the token with name as access token
Now for my request, I selected the access token from the available tokens under Access Token
Then the token is auto-filled as below
In this way, you can use the Access Token in collections in postman

Authorize Salesforce REST API without Username and password

I want to authorize(OAuth2) the Salesforce API from a service, using client_id, client_secret and redirect URL. I DO NOT want to keep username and password in my system. Can somebody please help?
You need to implement an OAuth flow, such as the Web Server flow or JWT bearer flow, both of which will allow you to obtain new access tokens for the lifespan of your integration without storing raw user credentials. Note that you will still need a user account under which to authenticate.

How to "sign in with Google" (id_token) *and* receive a code/access_token for specific scope (for the backend)

I'm building an application where a user should be able to sign in with Google, but afterwards, the backend server needs access to some data from the users's account (analytics.readonly scope).
If I understand it correctly, this can be done with the "OAuth Hybrid Flow": An id_token and an authorization_code are returned on the front channel, but the sensitive access_token and refresh_token can only be retrieved on the back channel.
Yet, Google does not seem to provide this functionality.
I imagined that my frontend could receive both an id_token and a code as URL parameters after the Google OAuth flow. The React frontend would then POST both the id_token and the code to my Flask backend.
The backend would then 1) check the id_token, 2) exchange the code for a refresh/access token and return an authenticated session cookie to the frontend.
Now my question:
Can I use just the returned authorization_code to sign in my users? (i.e. instead of an id_token?) What are the security implications? In that case I could just continue with the regular Authorization Code Flow on the backend.
Is there a way, to retrieve both an id_token and an authorization_code from Google at the same time that I have not found?
Is there any other way to achieve what I want? (Sign in with Google for Frontend, secure retrieval of access_token/refresh_token that only the backend needs)
Thanks!
I would handle the token management on the backend instead of doing it in the frontend.
The authorization code is only used as part of the authorization code flow.The code is just a random token and does not contain any user info, so you can't use it to signin the user.
You can't get the id_token and authorization_code at the same time, why would you? Auth code flow is a two step process, so you always get a code first, that you then can exhange for the id/access tokens.
I would consider looking at this this great video for how to approach authentication for SPA applications.

Google Data API: OAuth authenticate URL instead of authorize URL?

I'm accessing the Google Contacts API using OAuth.
I see from the docs that I have an authorize URL (https://www.google.com/accounts/OAuthAuthorizeToken), used to get the access token, but not an authenticate URL, a thing other services implementing OAuth use to automatically redirect the user to my site when he has previously given me the permission to access his data.
Linkedin does it
https://www.linkedin.com/uas/oauth/authorize
https://www.linkedin.com/uas/oauth/authenticate
Twitter does it
https://twitter.com/oauth/authenticate
https://twitter.com/oauth/authorize
But I couldn't find a way to do this using the Google API.
Anyone knows if it's there?
Thanks
Google uses the same url for authentication and authorization, so just redirect your users to the authorize url with the appropriate parameters in the query string. Google then determines if the user needs to login, authorize your app, or both.
The flow would go something like this...
Get the request token
Redirect your users to the authorization link
https://www.google.com/accounts/OAuthAuthorizeToken?scope=http%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds&oauth_token=REQUEST_TOKEN&oauth_callback=http%3A%2F%2Fwww.mysite.com%2Fcallback
User authorizes your app, then exchange the requst token for an access token.