Get UUID after auth flow
James Carr
Derek Schlabach
Hey James,
To get a user’s identity id (uuid) as a part of an auth flow, you need to request the scope “openid” alongside any other scopes you’re requesting.
If that’s in your request, the response will have a top level “id_token” which is a jwt string representing known user info.
Assuming you’re using the globus python SDK, we provide a convenience function (decode_id_token) to extract that into a python dict at which point the uuid you’re interested in should be under the field “sub”.
Putting it all together, a python example of this would look like:
>>> auth_client = …some globus auth login client…
>>> auth_client.oauth2_start_ flow(…, requested_scopes=f”openid {other_scopes}”)
>>> print(auth_client.oauth2_get_authorize_url())
>>> code = input(“Please enter authorization code: “)
>>> response = auth_client.oauth2_exchange_code_for_token(code)
>>> openid_token = response.decode_id_token()
>>> user_uuid = openid_token[“sub”]
Relevant Docs:
- SDK’s decode_id_token
- Auth’s Code Grant (id_token is included in the “successful response fields” if you scroll down a bit from there)
James Carr
Derek Schlabach
Interesting. Given that you’re using `oauth2_client_credentials_tokens` here, your tokens are actually associated with your confidential client (they perform operations using your client’s permissions) not a particular user.
You can get a uuid from this flow, but it won’t be a user’s uuid, it’ll be your client’s uuid (as the client is the one granting permission). To do this you’d do:
token_response = confidential_client.oauth2_client_credentials_tokens()
parsed_id = token_response.decode_id_token()
client_id = parsed_id[“sub”]
Is that the solution you ended up with or did you figure something else out?
James Carr
Derek Schlabach
Alright glad to hear it!