cmatskas
commented
2 years ago Hi @lsmith77 - thanks for the comment.
APIs don't have a notion of "authenticated user" since this is dealt in the front-end. APIs are responsible for checking the validity of the access tokens and any roles or api permissions passed in the token claims. The best way to make business decisions, assuming you have a valid token, is to look into the claims and take the appropriate action.
Your suggestion, however, is great as we don't really expose any of the token claims and most of the checks are esoteric/internal. Your PR to return the token claims makes sense. I'll test it to ensure that everything is working as expected before committing it. thx
lsmith77
I have an API where authentication is optional but if the user is identified I want to look up the settings for that specific user.
I guess this means I should not use
requires_b2c_authbut just callvalidate_scopeto check if the request is optionally authenticated.but what I am missing now is a way to get some identifier from the JWT token (ideally the email) so that I can then do the appropriate lookup.
I guess ideally there would be a way to fetch the user with all the roles and claims.