auth0 access token doesn't show issuer details

Question

We recently added auth0 for integrating SSO from different oauth2 providers (e.g. contoso1.auth.com and contoso2.auth.com)

https://auth0.com/docs/quickstart/spa/angular/01-login

I followed the above link and Our front end app successfully integrated this in the code and able to signin and get the token.

         {
          "iss": "https://TENANT_NAME.auth0.com/",
          "sub": "auth0|SOME_HASH",
          "aud": [
            "https://API_IDENTIFIER",
            "https://TENANT_NAME.auth0.com/userinfo"
          ],
          "iat": 1563699940,
          "exp": 1563786340,
          "azp": "SOME_OTHER_HASH",
          "scope": "openid profile email"
        }

In our angular app we want to render ui (show or hide links based on which authentication(contoso1/contoso2) user has gone through. But auth0 accesstoken doesn't give any details about the issuer "iss" (e.g.contoso1.auth.com or contoso2.auth.com)

We cannot rely on the email to say which SSO user belongs to as in our case contoso1 and contoso2 can have users from each others system with their own email ids.

After spending sometime on auth0 page i realized we have a field "connection" in the datacontext of auth0 object and it stores the name . While we can use this as a temporary workaround we can't rely on this determine which SSO flow user signed in with.

        {
          tenant: "identity-dev"
          clientID: "fdsfsdf-dfsdfsd8989",
          clientName: "Angualr Portal",
          clientMetadata: "{}"
          connection : "contoso1-backchannel",
          connectionStrategy:"oidc"
        ....more
        }

Please let me know how we can fetch iss or issuer url details in the token.

Answer 1

Is it a requirement to get this info using the frontend only?

As per this Auth0 article, it is a bit easier if you have a backend in place:

If your code runs in the backend, then we can assume that your server is trusted to safely store secrets (as you will see, we use a secret in the backend scenario).

With the backend you will be able to retrieve and parse the identities array user.identities[i].provider, which clearly identifies the original issuer under provider and connection keys.

If using only a frontend, it is more work and you need to build a proxy:

When working with a frontend app, the process for calling IdP APIs differs from the backend process because frontend apps are public applications that cannot hold credentials securely. Because SPA code can be viewed and altered, and native/mobile apps can be decompiled and inspected, they cannot be trusted to hold sensitive information like secret keys or passwords.

The quoted article contains links in the "Show me how" box that might be of further interest in this regard.

From your post it seems to be that only a frontend is used, but I included info about the backend in case it is worth your while to implement a small backend, if purely to just make retrieving the identity provider a bit easier.