How to identify a user with auth0 jwt

Question

I have an angular2 frontend which is using Auth0 for authentication and a .net core app on the backend. All is working with enforcing secured API calls.

What is the best way to identify an authenticated user on the backend? A rather clumsy way I can think of doing this is to expose a 'setUserToken' api call which allows me to connect a user ID to either of the following:

• token var bearerToken = Request.Headers["Authorization"].ToString()

• social ID var socialId = User.Claims.Where(c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier").First().Value

That way, with subsequent API calls, I can simply findUserByToken() or findUserBySocialProviderOpenId()

I'm sure I'm missing a much more obvious solution to this problem. Any guidance would be greatly appreciated.

Answer 1

The sub claim of the JWT is always generated by Auth0 and will contain the user's identifier, independent of the identity provider that was used to log in.

https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#rfc.section.4.1.2

The sub (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The sub value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.

In most cases, your backend API should only be a consumer of Auth0 access tokens and not need to expose any endpoints related to authentication.