Why is this setting causing the validation logic to fail when the JWT payload contains a sub claim that doesn’t match the expected user ID format in our React application? I am building a custom CLI tool that integrates with a React frontend for our Lagos-based team, and we are using the implicit grant flow for OAuth2 authentication. The frontend receives the access token and ID token, but when I try to validate the ID token using the public keys from the JWKS endpoint, the signature verification passes, yet the subsequent claim extraction returns null for the user’s email address. This is unexpected because the token payload clearly contains the email claim when decoded in an online debugger.
Here is the relevant snippet from our React utility function where the issue occurs:
const validateToken = (token) => {
const decoded = jwt.decode(token, { complete: true });
if (!decoded.payload || !decoded.payload.sub) {
throw new Error('Invalid token structure');
}
// The email claim is missing here despite being in the raw JWT
const user = {
id: decoded.payload.sub,
email: decoded.payload.email || null,
};
return user;
};
The HTTP 200 response from the Genesys Cloud authorization endpoint includes the token, and I have confirmed via Wireshark that the network traffic is correct. However, when this validateToken function runs in the browser, the decoded.payload.email is always undefined. I have checked the JWKS endpoint at https://api.mypurecloud.com/api/v2/authorization/publickeys and the keys seem valid. Is there a specific claim mapping or scope requirement that I am missing in the implicit grant configuration that would strip the email claim from the ID token?
I need to ensure that the user context is correctly established before calling the Platform SDK methods. Any insight into why the email claim might be omitted or how to force its inclusion would be appreciated.