openid email scopes do not seem to work

[Sayyiditow]

SDK you're using (please complete the following information):

• Version 3.2.1

Describe the bug We are trying to get the user's email who linked their organization with our app to use as this as an identifier but with the scopes added, we don't see the email being returned in the DecodedJWT.

To Reproduce After getting the accessToken, we are doing: DecodedJWT jwt = JWT.decode(accessToken);

Inspecting this jwt, there is no email information for the user.

Expected behavior An email claim should be present in the JWT.

[Sayyiditow]

We did see that there is a claim which gives the "xero_userid". Tried to use the value to query "Users" using the API but a nullpointer was thrown. I'm guessing this is not the right endpoint to user the "xero_userid" value.

[Sayyiditow]

After looking back into this, I found out that the proper decodedJWT that holds the identity token is not the access token itself, it is actually the id_token in the token response. Posting the way to get the email below for other users who come here:

First, get the id token: After getting the tokenResponse from the flow String idToken = String.valueOf(tokenResponse.get("id_token"));

Then only you may find the email claim: DecodedJWT decodedJWT = JWT.decode(idToken); String email = decodedJWT.getClaim("email").asString()

You can then save this email in your token storage implementation as a user for login into your app.

If you'd like to view other claims, just do: decodedJWT.getClaims().forEach((s, claim) -> System.out.println(s));

[hyperclick]

Hi Sayyiditow!

Could you please help with similar issue?

I obtain xero token with scopes:

• "email",
• "profile",
• "openid",
• "projects",
• "accounting.settings",
• "offline_access"

When I decode it via https://jwt.io I get these fields:

• "nbf": 1596534350,
• "exp": 1596536150,
• "iss": "https://identity.xero.com",
• "aud": "https://identity.xero.com/resources",
• "client_id": "",
• "sub": "...",
• "auth_time": 1596464579,
• "xero_userid": "...",
• "global_session_id": "....",
• "jti": "..",
• "authentication_event_id" : "..."

My questions are:

1. can i have user email in token?
2. is https://api.xero.com/api.xro/2.0/users/ undocummented api? (i did not find it on https://developer.xero.com/documentation)
3. what is returned in token.xero_userid? When I call https://api.xero.com/api.xro/2.0/users/ I see my users but I don't see this id in response. https://api.xero.com/api.xro/2.0/users/token.xero_userid return 404 -not found
4. is there a Xero equivalent for GoogleOauth.veryfyToken()?

thanks!

[Sayyiditow]

Hi,

My replies above were based on Version 3.2.1 of the Xero Java API. Are you using the same?

1. Yes, check my reply, there is a way to get the user email by using the id_token.
2. Not sure what you mean.
3. Please use the print out statement I posted above which prints all token claims returned.
4. Not sure.

[hyperclick]

Thanks for the quick answer! My problem was that I decoded access token whereas I should find email in id_token!

So, for now I need to find answer at least for one of the questions:

1. is there any way to get access_token by id_token or vice versa?
2. is there any way to get user email by access token?
3. is there ant way to get user email by token.xero_userid?

Any help is kindly appreciated

[SidneyAllen]

@hyperclick

We have a java "starter" app that demonstrates the oauth flow and how you obtain your accessTokenResponse which includes you access_token and id_token. https://github.com/XeroAPI/xero-java-oauth2-starter/blob/ab6dc9c46f8e714f6ca7cb3d83b7cdc0401ad4c4/src/main/java/com/xero/starter/Callback.java#L85

We also show how you decode the id_token you saved on callback. https://github.com/XeroAPI/xero-java-oauth2-starter/blob/ab6dc9c46f8e714f6ca7cb3d83b7cdc0401ad4c4/src/main/java/com/xero/starter/AuthenticatedResource.java#L42