• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

E-mail field not exists in access token

Scheduled Pinned Locked Moved Solved
Q&A
php token email laravel
2
4
1.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    zaalbarxx
    last edited by 27 May 2024, 08:37

    According to the docs here:
    https://fusionauth.io/docs/quickstarts/quickstart-php-laravel-api#provisioning-new-users
    the access token received from the FusionAuth should contain email field. But it does not. After logging in the app.at token looks like this:
    96b5500b-7749-4773-8c8d-1382e6b5e12f-image.png

    Is this the correct behavior ? I mean, the e-mail is there in the app.idt along with other data:
    1ecc59bb-91dd-43cf-8a4a-0b27df590ebf-image.png

    Wouldn't it be better to change app_at to app_idt here to actually parse and verify ID Token instead of access token ?
    c8f552b6-3cf0-45ea-8d75-1230182dd642-image.png

    1 Reply Last reply Reply Quote 0
    • A
      Alex Patterson
      last edited by 28 May 2024, 14:59

      You can read more about the differences of the cookies set in our hosted backend documentation.

      Cookies Set By the Hosted Backend

      Name HttpOnly Description
      app.at true The access token for the configured application. This is a JWT and can be presented to your APIs to access data and functionality.
      app.rt true The refresh token for the configured application. Only present if the offline_access scope is requested. This can be presented to FusionAuth to retrieve a new access token.
      app.idt false The Id token for the user for the configured application. Only present if the openid scope is requested. This is a JWT and can be accessed by JavaScript to display user account information.
      app.at_exp false The unix epoch timestamp indicating when the access token will expire. This can be checked by JavaScript to determine when a refresh token should be used to get a new access token.

      As you have called out the two tokens are meant for two different purposes.app.idt is available to the browser using JavaScript and app.idt is available only on calls that involve the server.

      During true OAuth (not utilizing openid) you will not see email utilized. This is still valid for checking if a user is authenticated. You can send this to all of your API endpoints as well.

      Z 1 Reply Last reply 29 May 2024, 09:02 Reply Quote 0
      • Z
        zaalbarxx @Alex Patterson
        last edited by 29 May 2024, 09:02

        @Alex-Patterson Then I believe you should update your example repo, because the code there mistakenly makes reader think that the email will be there. Anyway, thanks for clarification, cheers 🙂

        A 1 Reply Last reply 14 Jun 2024, 14:40 Reply Quote 0
        • A
          Alex Patterson @zaalbarxx
          last edited by 14 Jun 2024, 14:40

          @zaalbarxx sorry for the delay. I might be missing it (sorry not a PHP person) but I don't see where that confusion comes into play. I know that some of our docs had to get updated because of a change that we made during our 1.50 release that required to request further details in our scopes request.

          This release makes significant changes to the default behavior of new Applications with regard to scopes in OAuth workflows. The database migration will update existing Applications to behave in a backwards compatible manner. See the OAuth Scopes documentation for more information, in particular the Relationship, Unknown scope policy, and Scope handling policy configurations.

          https://fusionauth.io/docs/release-notes/#version-1-50-0

          Let me know if that still isn't making sense, or if there is a spot you were hung up on and I would be happy to update our docs. Or even better feel free to add a PR.

          1 Reply Last reply Reply Quote 0
          • A Alex Patterson has marked this topic as solved on 14 Jun 2024, 14:47
          • First post
            Last post