Thursday, August 9, 2018

The Auth0 Access Token Paradox


The Auth0 Access Token Paradox

Identity management is hard. Auth0 makes it much easier and helps you secure your applications and services. One reoccurring scenario is that of calling API’s while logged in as a user and needing some information about the user in the API that is called.

Auth0 has put together a nice article about why you should use access tokens to secure APIs.
No arguing with that…

They provide some guidance around the fact that an access token doesn’t contain user info. The following is a quote.

“Note that the token does not contain any information about the user itself besides their ID (sub claim), it only contains authorization information about which actions the application is allowed to perform at the API (scope claim).
In many cases, you might find it useful to retrieve additional user information at the API, so the token is also valid for call the /userinfo API, which returns the user's profile information.”

That seems reasonable enough, when I need user info call the Auth0 /userinfo endpoint and problem solved. After implementing this as a solution in a development environment this probably seems slick (besides the extra network traffic and grossness of it all). However, after rolling it out to a UAT environment you might find your testers complaining of transient issues in calls that require user info.

A scenario much like above described played at out at work recently. After first consulting the debugger and realizing that requests where being rate limited, I revisited the Auth0 API documentation.




What I found is more than a little confusing. It looks like the legacy user info endpoint supported a reasonable hit rate, while the new one supports a fraction of that. The difference is a firehose vs. a leaky faucet.

To summarize: Use access tokens, they are cool. User info, that’s valuable stuff, if you want it you should be willing to wait for it.

This makes me wonder what people are doing to engineer around this. A queue perhaps? Somewhere there is a site with a banner that reads “Please wait! We use Auth0 and your user info is being requested. You’re 150th in line, your wait time is roughly 15 or 20 minutes.”

There is away around this. However, it seems to only be appropriate in situations where you don’t want to wait in line.

https://community.auth0.com/t/get-user-info/8821/5
Source = https://community.auth0.com/t/get-user-info/8821/5


Auth0 provides the ability to modify what data is included in the access token through node.js middleware that runs on the platform.The process is thoroughly documented in the Auth0 API documentation, so I’ll link to it rather than boring with the details.

I’m not a huge fan of this solution as every time you need another chunk of user info you end up sticking it in the access token. Access tokens shouldn’t be gigantic. This approach doesn’t scale well. In our scenario we need just the users email address so we can get away with it.

I'd love to hear from the folks at Auth0 regarding this...

Update 09/10/2018: I've heard back from Auth0. The documentation is missing a few key pieces of information. The user info endpoint is 5 request per minute for each user id. Also, the intent is that people calling the API cache the results. Makes sense, just not well set forth in documentation.

No comments:

Post a Comment