feat: Add parseIdToken utility to public API

[opfeffer]

Changes

Adds a public parseIdToken(idToken: string): User utility function that decodes a JWT ID token locally and returns a User object with standard OIDC profile claims (camelCased) and any custom claims.

This is a purely additive change — no existing functionality is modified. It introduces a new export only, so the risk surface is minimal.

• New function exported: parseIdToken (from src/core/utils/parseIdToken.ts)
• New public API entry in src/index.ts

Usage:

import Auth0, { parseIdToken } from 'react-native-auth0';

const auth0 = new Auth0({ domain, clientId });
const credentials = await auth0.webAuth.authorize({ scope: 'openid profile email' });
const user = parseIdToken(credentials.idToken);
// user.sub, user.name, user.email, etc.

Auth0Provider already uses this parsing logic internally via Auth0User.fromIdToken(). This exposes the same behavior for consumers managing auth state directly via the Auth0 class, without requiring a network round-trip to /userinfo.

References

• Expose user profile parsing when using the Auth0 class directly (without Auth0Provider) #1536

Testing

New unit tests in src/core/utils/__tests__/parseIdToken.spec.ts covering:

• Standard OIDC claims are decoded and camelCased

• Protocol claims (iss, aud, exp, etc.) are excluded

• Missing sub claim throws an error

• This change adds unit test coverage

• This change has been tested on the latest version of the platform/language or why not

Checklist

• I have read the Auth0 general contribution guidelines
• All existing and new tests complete without errors
• All active GitHub checks have passed

Closes #1536

Summary by CodeRabbit

• New Features

  • Added a public utility to parse an ID token locally and produce a user profile (standard OIDC claims and custom claims) without a network call.

• Documentation

  • Added Authentication API docs with examples showing how to parse user profiles from ID tokens.

• Tests

  • Added unit tests validating decoding behavior, required claim enforcement, and excluded protocol claims.

[subhankarmaiti]

Hi @opfeffer
Thanks for opening the PR, could you please sign the commit, you can refer to the doc: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4c910a0d-d78b-455a-ae26-e05222226866

📥 Commits

Reviewing files that changed from the base of the PR and between bf66d4e and b2a19f9.

📒 Files selected for processing (5)

• EXAMPLES.md
• src/core/utils/__tests__/parseIdToken.spec.ts
• src/core/utils/index.ts
• src/core/utils/parseIdToken.ts
• src/index.ts

✅ Files skipped from review due to trivial changes (2)

• src/core/utils/index.ts
• EXAMPLES.md

🚧 Files skipped from review as they are similar to previous changes (3)

• src/index.ts
• src/core/utils/tests/parseIdToken.spec.ts
• src/core/utils/parseIdToken.ts

---

📝 Walkthrough

Walkthrough

Adds a new public utility parseIdToken(idToken: string): User, re-exports it from utils and package root, adds unit tests validating claim mapping and error handling, and documents usage in EXAMPLES.md for local user-profile extraction from an ID token.

Changes

parseIdToken Utility

Layer / File(s)	Summary
parseIdToken utility: implementation, exports, and tests src/core/utils/parseIdToken.ts, src/core/utils/index.ts, src/index.ts, src/core/utils/__tests__/parseIdToken.spec.ts	New parseIdToken(idToken: string): User utility wraps Auth0User.fromIdToken and is re-exported through the utils module and package entrypoint. Tests verify claim-to-user mapping, exclusion of protocol claims (iss, aud, exp, iat), and error handling when sub is missing.
Usage documentation EXAMPLES.md	Added Authentication API section demonstrating parseIdToken usage with credentials from webAuth.authorize() or credentialsManager.getCredentials(), noting it mirrors Auth0Provider's internal parsing and avoids auth.userInfo() network calls.

🎯 2 (Simple) | ⏱️ ~10 minutes

"🐰 I nibble at tokens with decoding delight,
I tuck claims in users, both morning and night.
No network hop needed, the profile's right here,
A small hop of code makes the developer cheer. 🥕"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a new parseIdToken utility function to the public API.
Linked Issues check	✅ Passed	The PR fully addresses issue #1536 by exposing parseIdToken as a public utility to parse user profiles from ID tokens without network calls or duplicating logic.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the parseIdToken utility and its documentation; no out-of-scope modifications detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

EXAMPLES.md (1)

4-15: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the Authentication API TOC to include the new subsection.

The new “Parse user profile from an ID token locally” section is present, but it isn’t linked from the Authentication API subsection list at the top.

Doc TOC patch

 - [Authentication API](`#authentication-api`)
   - [Login with Password Realm Grant](`#login-with-password-realm-grant`)
   - [Get user information using user's access_token](`#get-user-information-using-users-access_token`)
+  - [Parse user profile from an ID token locally](`#parse-user-profile-from-an-id-token-locally`)
   - [Getting new access token with refresh token](`#getting-new-access-token-with-refresh-token`)

Also applies to: 140-154

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@EXAMPLES.md` around lines 4 - 15, Add a TOC link for the new subsection
"Parse user profile from an ID token locally" to the Authentication API list in
EXAMPLES.md by inserting a bullet like "- [Parse user profile from an ID token
locally](`#parse-user-profile-from-an-id-token-locally`)" into the existing
Authentication API subsection list (the list that contains entries such as
"Login with Password Realm Grant" and "Using Custom Headers"); ensure the link
text matches the new section header exactly so it anchors correctly and update
the other duplicate TOC area (lines ~140-154) the same way.

🧹 Nitpick comments (1)

src/core/utils/__tests__/parseIdToken.spec.ts (1)

13-61: ⚡ Quick win

Add an explicit custom-claims pass-through assertion.

Current tests cover standard mapping, protocol filtering, and missing sub, but not the documented custom-claim behavior. A small test for one namespaced custom claim (e.g. https://example.com/role) would lock the public contract.

Suggested test addition

 describe('parseIdToken', () => {
@@
   it('should throw if the token is missing the sub claim', () => {
@@
   });
+
+  it('should keep custom claims unchanged', () => {
+    mockJwtDecode.mockReturnValue({
+      sub: 'auth0|123',
+      'https://example.com/role': 'admin',
+    });
+
+    const user = parseIdToken('mock-id-token');
+    expect((user as any)['https://example.com/role']).toBe('admin');
+  });
 });

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/utils/__tests__/parseIdToken.spec.ts` around lines 13 - 61, Add a
test to parseIdToken.spec.ts that ensures namespaced custom claims are passed
through: mock jwtDecode to return a namespaced claim like
"https://example.com/role": "admin" alongside sub, call
parseIdToken('mock-id-token') and assert the returned user object contains that
exact namespaced claim (e.g. (user as any)['https://example.com/role'] ===
'admin'), keeping existing expectations for sub; this validates parseIdToken's
custom-claim pass-through behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@EXAMPLES.md`:
- Around line 4-15: Add a TOC link for the new subsection "Parse user profile
from an ID token locally" to the Authentication API list in EXAMPLES.md by
inserting a bullet like "- [Parse user profile from an ID token
locally](`#parse-user-profile-from-an-id-token-locally`)" into the existing
Authentication API subsection list (the list that contains entries such as
"Login with Password Realm Grant" and "Using Custom Headers"); ensure the link
text matches the new section header exactly so it anchors correctly and update
the other duplicate TOC area (lines ~140-154) the same way.

---

Nitpick comments:
In `@src/core/utils/__tests__/parseIdToken.spec.ts`:
- Around line 13-61: Add a test to parseIdToken.spec.ts that ensures namespaced
custom claims are passed through: mock jwtDecode to return a namespaced claim
like "https://example.com/role": "admin" alongside sub, call
parseIdToken('mock-id-token') and assert the returned user object contains that
exact namespaced claim (e.g. (user as any)['https://example.com/role'] ===
'admin'), keeping existing expectations for sub; this validates parseIdToken's
custom-claim pass-through behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0debebe9-2ab5-4794-bb1f-ddbf8b85a2ae

📥 Commits

Reviewing files that changed from the base of the PR and between e0d4a6a and bf66d4e.

📒 Files selected for processing (5)

• EXAMPLES.md
• src/core/utils/__tests__/parseIdToken.spec.ts
• src/core/utils/index.ts
• src/core/utils/parseIdToken.ts
• src/index.ts

[opfeffer]

Hi @opfeffer Thanks for opening the PR, could you please sign the commit, you can refer to the doc: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

My bad for not properly signing the first time. Rebased my PR and signed my commit. Ready for another look @subhankarmaiti