-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting info about JWT user #242
Comments
The ID token already contains the user information in its payload. But before accessing that, you should first verify its precedence and that's where you use the Alternatively, you could make a second request to the |
But from can I get access token for "user info"? |
There are many variables that can change what you receive. Can you show me the code you're using to authenticate a user, please? |
@michaldev If you just want to programatically look at stuff, you can use this sdk`s authentication.GetToken class. and authentication.AsymmetricSingatureVerifier. AsymmetricSingatureVerifier.verify_signature() returns the decoded token payload. Tokenverifier uses the results from your signature verifer (payload), but does additional checks on the claims. (payload contents) However, this one does not return anything, only throws errors. |
Maybe auth0 isn't for me. For using auth0 I take a decision because (propably) I don't need to use multiple native libraries for social auth on the frontend (only webview popup) and in python backend I don't need implement mailing, authentication, and others. Additionally, I have less in app pages/screens which user see once (like login, register, forgot, reset password). Then I will have a cleaner code and I will be able to focus on other screens. But auth0 I think that exists for others solutions (authentication for multiple websites etc.) and in my use case isn't best solution - right? |
And I have to get only code (from /authorize) in the mobile app and send them to python backend, then in python use code? What is the best way? I was thinking that authorization jwt for my python backend. Code or JWT do I have to save in my backend DB? |
Let me explain it briefly, although I encourage you to watch the identity labs Auth0 published. The idea is that your mobile app first gets the access token, and using it then calls your backend/API. From the mobile app, you should be performing a "Code + PKCE" flow (read more about this flow here). That's a call to In the case of requiring to call an API (like your case), you would also pass an "audience" value in the In your backend side, you'd receive a request authorized with the access token. You should take that access token and perform some checks before trusting the contents. I've found that most of the above is explained in detail in this article. Note that there are many Auth0 SDKs you could use, depending on the platform, to skip many of the manual steps explained in there. You can also find many quickstarts explaining how to authenticate and call an API in the site. |
I suggest you first follow one of the mobile app quickstart to understand how the authentication is achieved https://auth0.com/docs/quickstart/native. Once you are able to authenticate and have your access token, then move the attention to the backend / m2m https://auth0.com/docs/quickstart/backend. |
There is not available example for Flutter. Is available one example on any auth0 blog, but with library which doesn't support Web and desktop. I must implement it from scratch. What is wrong with my request on screen? |
I can get access token with other method (without PkCe). But as in post - this verification proces very well, but I don't know how can I use this for getting info about user. |
@michaldev you are creating an issue in the auth0-python SDK about a Flutter mobile app that is not working for you... I cannot help you with that, but you can try with the community. What I put above is general guidance and usage for any mobile scenario. If we forget for a minute about mobile apps and assume that you have a python backend using this SDK and receive an access token through some external request, you could use that access token to call the |
But I must get user informations on backend (python) side. As I wrote - if I sucessed get user token (without pkce) I can't get user info in python script, because tokenInfo method is deprecated. |
@michaldev I'm not a contributer to the package, nor a seasoned developer, so please don't take my comments as official guidelines. I've been struggeling a couple of weeks with the docs and playing around with the various settings in the tennant dashboard, but feel the payoff is worth the effort. The more I work with it, the more I like it, and don`t think auth0 in anyway is to complex for your use-case. I am using a fast-api backend, as you. Authentication is done outside the api, but when I send a request to one of the fastapi endpoints I include the access token in the header. In the API I do validation of the access token using this package. (in the lines of what is suggested by @lbalmaceda in previous posts here). Regarding tokeninfo() from this package have l'm guessing you already have read the docs and found this (authentication API): /tokeninfo I`m guessing you have the switch for OIDC-conformant on (which you probably should?), and this is the reason you are getting a 404. Also tested Users.userinfo() and it works on my end. |
This is weird. When I set scope to openid I get access_token and id_token but if I try logged with them (verify method) I got error: In Auth0 logs everything is ok :/ In payload by jwt.io I have:
But Users(domain=domain).userinfo(auth_token) returns for me username. Why now verification is failed? |
Maybe problem is in two audiences? Python-auth0 supports two audiences? |
There is details: https://vimeo.com/466912574 |
@michaldev |
When the ID token has multiple audiences, the Watching your recording, you mention that you are using a "native app" client id for this python backend app and that's where I'm lost. You should be using a different client id, not reusing the same, as this is a separate application. Each must have its right application type depending on what they represent: a mobile app, a backend API, etc. It looks like you are trying to call your API from the mobile app. There's a quickstart showing exactly that, which I already recommended above, have you checked that? Python API Quickstart -> https://auth0.com/docs/quickstart/backend/python/01-authorization This is how it should look:
If your use case is different to what I understood, or need a prompt response, you should reach out instead to our support team or ask in the Auth0 community so they can help you better. Cheers |
This is not clearly "quickstart". Without my use case. That presents machine-to-machine (any client_credentials). I've created now separated applications in my auth0 panel:
But I have problem still. 3he3K4UasIj4in2RKi6NytQWZKWLrsEY - this is native app ID. In /authorize - I have '3he3K4UasIj4in2RKi6NytQWZKWLrsEY' - native ID. In python script I have 'machine to machine' ID - fYAWWX04VdjZdj4LtKvnEqFaLlnD92fb. I've tried all combinations with application id. Always errors in token verification. |
Don't use the ID token verifier in your backend. The backend API should not receive an ID token from the mobile app, only an access token. |
Verification by access_token returns error the same like id_token. |
@michaldev He is saying DON'T use TokenVerifier.verify for anything else than validating id tokens. Here is roughly what I'm doing at the moment.
|
It works, but this is secure? If I'm not compare token with auth0 server? |
@michaldev Well, this is my reasoning (again as mentioned in the first post): Alternatively you could get some additional checs from sv.verify_signature by changing some of the options on the class (DISABLE_JWT_CHECKS), but since you can not pass on arguments to jwt.decode only a few would work. This would be a hack, and would not reccomend it. Just mentioning it to motivate you to dig a bit around in the code to see what is going on :) It is a bit unfortunate that the sdk does not have an access_token verifier. Auth0 has an example online https://auth0.com/docs/quickstart/backend/python/01-authorization . That one uses python jose. While it has similar interface (jwt.decode) it accepts the key set as a dict, while this sdk uses pyjwt, but you can not pass on arguments like leeway,audience, issuer etc. to the jwt.decode function. In my oppinon this sdk should support it, and the docs online should use this sdk in the examples. Everyone knows security is an all elusive topic to grasp, an in my oppinon the current state just adds to the confusion. As far as I can tell, I see two possible options when it comes to validating an access token:
I guess there are more libraries/sdk's for validating jwt`s than mentioned here, but hopefully @lbalmaceda will confirm my two options are viable solutions. |
The If your app is a backend app, and you receive a request that contains an access token, you must verify:
You could use the |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇♂️ |
Hello! Any updates here? I can see that this issue is also present for the PHP token verifier, and the team fixed it here Are we also fixing it for the Python library? I am having the same issues as @michaldev, and I am only following your documentation |
@cledesma we still don't have in the roadmap introducing a verifier for Access Tokens on the python SDK. What is your use case? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇♂️ |
Hi I've a similar use case as auth0/auth0-PHP#422 and am wondering if a similar approach to the one that the PHP SDK went with can be used: auth0/auth0-PHP#428. |
@lbalmaceda friendly ping :) |
@authereal If the ID token that you are trying to validate is not compliant with the OIDC spec, I doubt we will accept a feature request to support that. The ID token verifier implemented here follows the OIDC spec. If you are suggesting a different feature, please open a separate issue so we can review it. Thanks. |
How Can I check information about authorized users? Like username, and others?
I've created/copied this code:
It works nice, but in the documentation doesn't exist any example with the real use case of this. I search in the code of the library and I find Users class, but tokenInfo() method is deprecated (why?) and in userInfo JWT token doesn't work.
Users(domain=domain).tokeninfo(id_token) - 404 error.
Users(domain=domain).userinfo(id_token) - 401 error.
The text was updated successfully, but these errors were encountered: