SPA + Rails API passing auth0_id from front end to back - Best Practice

Currently have a spa application hitting a rails api but on every request where i need to fetch the user data I am supplying the auth0_id from the front end. Is this ok practice or should i be getting the auth0_id when I decode the jwt token? Or am i missing something else?

Hi @scott.stern06,

Take a look at this example:
https://auth0.com/docs/architecture-scenarios/spa-api/part-3#determine-user-identity

If I understand you correctly, the answer is yes. Please take a look at the implementation and make sure it fits your case.

Thanks,
Dan

@dan.woda Thanks for the response, the documentation says nothing about how to access an auth0 user in your own db. this simply tells you how to log someone in.

In my case like I explained above, i am passing a token and auth0_id to my api to check for the user in my api. Is passing the auth0 id with the auth_token a bad practice? Should i get the auth0_id from decoding the token on the api ?

@scott.stern06,

I am referring to the following line:

One of the standard JWT claims is the sub claim which identifies the principal that is the subject to the claim. In the case of the Implicit Grant flow this claim will contain the user’s identity, which will be the unique identifier for the Auth0 user. You can use this to associate any information in external systems with a particular user.

sub is going to be the user id in this case. You can also add a custom claim if you wanted to use a different identifier such as email address. Since you are already sending the user id in the token I don’t think that would be bad practice per se, but it is redundant.

Let me know if I am misunderstanding something.

Thanks,
Dan

Got it thanks, so it would be “better” practice to just send the jwt and pull the id from there on the api?

Yes, this would be the suggested approach.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.