Is it possible to use Auth0 purely as a method of securely generating and renewing access tokens including a few custom claims or is it inherently designed to have the client authorization credentials stored within the Auth0 system?
My understanding initially was that I would be able to manually authenticate a user (via username & password for example) on my server using the details in my database, generate an Auth0 access token which included some claims i.e. userid, roles etc to return to the client who would then use that access token from then on to calls to my API.
Is this possible/the intended use of Auth0 or have I misunderstood the platform?
In general for the traditional service specific username/password credentials use case the actual credentials would indeed be managed by Auth0 removing from you the burden associated with all the security details around storing end-user passwords. This would be recommended usage.
However, there’s a possibility for the actual credentials to be managed by you while still leaving to your Auth0 tenant/domain all the responsibilities associated with the authentication protocols and the issuance of tokens. For this you should take a look at custom database connections where you would implement logic to manage the credentials in your own store while everything else protocol-related would still be handled by the Auth0 service. If this is just a case where you already have users on your own store and don’t want to force them to reset passwords then take a look at custom database connections with migration.
Excellent, thanks for your help.
Hi @jmangelo,
But when using the JAVA SDK we need to have the client credentials to perform signup or login calls, as the AuthAPI class requires them.
Will we not have to store the client credentials locally?
(Considering a single client for all users)https://github.com/auth0/auth0-java