We have a legacy server that is accessed by a web SPA via auth0. We have a new django server that has some new API endpoints that the SPA needs access to. Is it possible to set up auth0 on the new server and then somehow have the SPA auth into both servers simultaneously upon login? Our user details are stored in a separate db that is shared between the 2 servers. Anyone have any other suggestions besides authing into both servers?
The recommended way for a SPA to perform authorized requests against a specific (resource) server is (during the authentication/authorization process) to obtain an access token that is suitable for that specific server. In Auth0 that would be handled by configuring an API to represent the server part and assign it a specific audience identifier, for example,
The server would then validate the audience identifier as part of the access token validation. This approach kind of suggests that if you have multiple API’s then you would need multiple access token, however, in some circumstances that is not required. In particular, if both your back-end servers trust each other then they can be configured to accept the same access token and in this way allow the SPA to call both even if they are implemented independently and with different technologies.
The important part is that both resource servers need to have the same level of trust because if you accept the same access token on both it means that one server can call the other if it just uses the token it received.