2 application scenario: MVC and RestAPI


I have a Java MVC application and one RestAPI application. On MVC I have added auth0 integration and I am able to call login page, authenticate, and process callback request.

From this MVC application, I need to call the RestAPI and I want to use same Auth0 user to authenticate on that side and be sure the caller is authorized to complete the request and I was thinking to implement something like that:

  1. on MVC side, I add the Authorization token received from Auth0 into the header (Bearer)
  2. on RestAPI I want to implement a Java Filter to validate the token before to proceed. (i.e. calling the /userinfo api to retrieve userdata and in case of success proceed)

So, for first, is it the proper way to do that? (We did in past in other projects but not sure it is correct), I have seen on the Auth0 dashboard it is possible to authorize application (machine to machine auth) but it is not clear at that point, how to handle user management.
Second thing, I have tested manually and I did not have to add the ClientID or Secret Id to retrieve the user info as soon as I have a valid access token, is there a way to force to add the token for the external RestAPI application to every call?

I really appreciate who will help me and, please, be patient if my request is stupid or repetitive… I read a lot of stuff during last week, it’s Friday, I am tired, and I have to provide feedback about that before “yesterday”…


Hi Andrea.
No need to apologize for questions. This stuff is just complicated at times and, if anything, we at Auth0 and others in the industry need to figure out how to make things simpler for developers.

I would model you scenario like this:

  • One API (a.k.a. “Resource server” in OAuth2 parlance). This represents your Rest API. You give it a unique identifier (e.g. “https://yourcompany.com/api”). Auth0 will issue JWT access tokens to applications that need to access that API.
    You can define scopes for the API if you want different access levels. See https://auth0.com/docs/api-auth for more information.
    You will code your API so that it inspects and validates the Access Token in every request before allowing access.
  • One or more Applications that will access the API (like your Java MVC applications).

Client applications can, in one request, ask for both an authentication (scope=openid) and an access token that can be used to make requests to the Rest API, using audience={your_api_identifier}.
If the authorization request from the Java MVC app looks like this:

  &scope=openid profile email {and optionally scopes for your API, if any}

The final token response will contain an ID Token with information about the authentication and the user (equivalent to what you get by calling the /userinfo endpoint), and an Access Token, meant to be used for requests to the Rest API, in JWT format (so that the API can validate it).
The aud (audience) in the ID Token is the client ID of the requesting application. The aud in the Access Token, on the other hand, is the identifier of the API for which the Access Token can be used.

The Access Token will contain by default only the sub claim about the user (the user ID). If you need more information about the user in the Rest API side you could add custom claims in the Access Token (see https://auth0.com/docs/scopes/current/sample-use-cases#add-custom-claims-to-a-token).

The machine-to-machine scenario is when you want to let an application access an API without user intervention or approval (so the “subject” of the Access Token is the application itself, not the user).

Hope that helps as a starting point, happy to clarify whatever is needed.

Hi Nicolas,

I have a similar situation to the OP but with an ASP.NET Core MVC app and API.

So in the OP’s outlined scenario, I suppose it could be described as the MVC app making the call “on behalf” of the user i.e. the user has authenticated with the MVC app (via Auth0) and then wants the MVC app to make an API call, how do we then “pass” the fact that the user is authorised over to the API when the MVC app makes the call to the API?

In your explanation, you mention that Auth0 will issue JWT access tokens to applications that need to access that API which I understand. However the bit I don’t think I quite understand is how we configure the MVC app to pass the access token over so that the API knows about the user who made the request, if we’re actually passing an access token issued for the MVC app?

I may well have some terminology confused somewhere or the architecture not quite right so please forgive me if so, but if you could clarify those questions, it would be very much appreciated!


Hi Nicholas,

I think I’ve worked it out with a combination of the following:


This extra param &audience={your_api_identifier} in authorize url doesn’t look like standard, at least nothing said about it in RFC6749.

So, if this param not used, than access token is not JWT but opaque. And why would I need this opaque token? To call userinfo endpoint? Not really needed as user info will be in id_token.
What is usage of that opaque access token?

Isn’t access token should always be in JWT format and scope should dictate if this token can be used for calling resource API (resource api should check audience and scope)