I’m having a single page web web application (SPA) that, using the implicit grant flow, gets an access token from auth0. That access token is used when making requests to my API.
How does my API know which user has made a request? The access token, when decoded from JWT format to JSON, looks like this:
{
'iss': 'https://MY-DOMAIN.eu.auth0.com/',
'sub': 'auth0|59bbed...',
'aud': 'localhost', 'https://MY-DOMAIN.eu.auth0.com/userinfo'],
'azp': '...',
'exp': 1505515504,
'iat': 1505508304,
'scope': 'openid profile'}
Is it sufficient to refer to the subject 'sub': 'auth0|59bbed...' as the user who made the request?
Or should the backend instead get the user profile via https://MY-DOMAIN.eu.auth0.com/userinfo?
Answer to myself: sub identifies the subject (user) of the access token. So this data is sufficient to identify the user on whose behalf the request is made.
I have similar question and I would like to know are you sending the JWT to your backend? And your backend is validating the JWT which come from auth0 to either allow the user or not? I thought to secure the backend API, the backend API itself needs to generate JWTs, but in your case it is not.
@nurlan.nurmanov The web frontend is sending the JWT access token to the backend. The backend then validates the token that was generated by auth0 and handed over to the web frontend at the end of the implicit grant flow. This is how the backend is secured and how requests from the frontend are authenticated at the backend. There’s no need for the backend to create tokens. The backend only validates the token using the public key that is created for the backend by auth0.