Intercept and pass on id_tokens

[dschreij]

Is your feature request related to a problem? Please describe.

Consider the following workflow (which I think is very common):

1. Nuxt-auth authenticates with an Oauth provider (for example Auth0) and receives an access_token and id_token. The first indicates if the user can access the API, and the latter contains info about the user's identity. Nuxt-auth only captures the access_token and discards the id_token.
2. Nuxt-auth includes the access_token to API calls.
3. The API can tell the user is allowed access, but does not know the identity of the user as this is contained by the ID token.
4. The API needs to call a /userinfo endpoint (in case of Auth0) for each request it receives, to determine the user's identity. The frequency of doing this will soon go through the roof if the app grows larger. If I remember correctly, Auth0 rate limits calls to /userinfo with max 5 per minute (per user?), so this will become unworkable when the number of API calls increase.

Describe the solution you'd like to see

An option to catch the id_token and perhaps a flag to indicate if it should be passed on with outgoing ajax calls. Something in the line as is now possible for refresh_token but then with options specific to id_token.

Describe alternatives you've considered

I have currently solved this problem by using Auth0's rules feature to 'inject' the email address into the access_token, but this feels quite hacky to say the least, and this option is of course specific to Auth0, while other services may also use an ID token to identify the user, but don't allow one to change the access token. I think it is also a convention to keep authentication and identification information separated in different tokens, but I can't find any references for this.

I have also tried setting the token.property field to id_token as was suggested in the docs to do with the Google authentication API, but then the login procedure gets stuck in an infinite loop, so I guess the ID token can't pass for authentication. Moreover, it is also advised against by Auth0's docs itself to:

Do not use ID tokens to gain access to an API.

Additional context

I'd be willing to see if I can free up some time to work on this, but I need to know if such a feature is widely requested and not only need by myself before I make an attempt. Additionally, I don't know what is the convention for passing these ID tokens on to an API. For access tokens it is of course an entry in the header (Authorization: Bearer ....), but should the ID token be passed along the same lines, and what header label should be used then?

[phani1kumar]

This id_token is required for google provider as well for me.