I have a mobile app where the user logs in and an Tickets API from which the app retrieves the user’s tickets. The problem is that the GET tickets endpoint is such /tickets/{userid}. The userId is a GUID created inside my application, it is different from the auth0 user id. I have two questions about this:
When the user logs in the app how can the app retrieve the user’s application userId in order to be able to call the API.
Once the app has the userId, how can I secure the API in suck a way that this user can call the GET tickets endpoint only with this userId. For every other userId he should get a Forbidden response.
Thank you in advance and I will be glad to provide more details if needed. My API is written in C#.
When a user logs in via Auth0, depending on the implementation both the associated ID token and Access token will have a sub claim which is the Auth0 user ID.
Alternatively, you could add an Action that calls an API (that you would write) when a user is first created, grabs your external database userid. It would then add the userid to the user’s app_metadata and eventually as a custom claim to a token.
I recommend taking a look at our Architecture Scenarios documentation for an overview of what this may look like:
Unfortunately because your local machine and the Auth0 authorization servers do not share the same instance you won’t be able to communicate with localhost