When using the URL to enable social login, I am getting a token/ code as a response (depending on the choice while preparing the URL).
The user is getting created successfully at Auth0 and the redirectUrl is called.
But I am dubious about how to use the received token/code. As our API requires Auth0 access_token for validating the user and granting access.
If you got back a code, you need to exchange the code for an access_token and an id_token (if you need it) by calling the oauth/token endpoint. If you used response_type=token, then you receive an access_token directly and you don’t need to make any other call to Auth0.
The access_token that you get back needs to have the audience ( aud ) of your API, which you set by configuring the API identifier in the Dashboard as explained here. You set the audience by adding it as a query string parameter when calling the /authorize endpoint as explained in this tutorial if you’re building an SPA (implicit grant flow, response_type=token or response_type=token id_token) or this one if you’re building a web application (authorization code grant flow, response_type=code).
Once you have an access_token with the right audience and scope (if you’re using them in your API to grant more specific permissions), you need to validate it in your API. This document explains how to validate tokens in more detail. We also have a set of Quickstarts that explain how to validate them in different programming languages.
You can inspect the JWT tokens you get through jwt.io in case you need to troubleshoot them (to verify that the right audience is being set, for example).
Please take into consideration that when you’re creating an API in the Dashboard you can set the signing algorithm to be either RS256 or HS256. It’s highly recommended that you use RS256 for your use case and this is the approach that our Quickstarts explain.
Okay, I got it. I was receiving an id_token which is a string since I didn’t pass the audience value.
Thanks a lot for the help @anny!