Get user's JWT

[praagyajoshi]

What happened?

[Apologies, this is not really a bug but more of a question. I tried to access discussions, but apparently it has not been enabled yet for the repo]

I'm trying to access the JWT for the authenticated user to send to my backend service (which will then validate the token to get the authenticated user for the request).
Based on the methods I see for Auth0RemixServer, I don't think I can access it (for example, getUser) returns the user attributes directly but not the token itself.

Can you please point me towards how I can get the token? Thank you!

As an aside:
If I am validating the token on the Remix server side, I think I might not need to do the JWT validation again and can "trust" the Remix app that the user is who they say they are. But I thought having an extra layer of protection might not hurt.

What did you expect to happen?

I expect to be able to fetch the user's token.

What version of Remix are you using?

1.12.0

[meza]

Yes, you're correct! (I've also enabled the discussions, thanks for pointing that out).

It's one of the missing features and is very high on my list. Was hoping to get to it today but chances are slim.

I want to give you a way to register a callback so that you can do as you please with the ID token (and the refresh token when the rotation is not enabled)

https://github.com/meza/auth0-remix-server/blob/main/src/index.ts#L232

Since the user profile and the id token is usually identical, can you use the profile for now? (For maybe a day or 2)

I'd also want to make sure to provide a handy verification function so you could always send in a token and make sure it's valid before you use it.

[praagyajoshi]

Thanks for the super fast response, @meza!
Good to know that it's planned and will be implemented soon.

For now, I will use the sub provided by user profile and let my backend "trust" the request triggered by the Remix server. Once I can get the JWT, I will go back to validating it. Thanks again!

[meza]

Awesome! It might actually make sense to have that "escape hatch" just give you all of the tokens at once. The Access Token, the ID Token and the Refresh Token.

That could also enable the feature to opt out from this library handling the session. Coming soon ™️

[praagyajoshi]

Yes, that makes sense! Looking forward to it.

[meza]

Almost there!

[meza]

This has now been released with v1.1.0

[praagyajoshi]

Thank you so much for this, @meza!