Accesstoken and Id-Token. Which one to use and how to validate an opaque accesstoken?

benjamin.bacher · December 4, 2018, 8:55am

Hi there,

im currently implementing SSO like login for my application.
The infrastructure is like this:

Third Party authentication → Auth0 → My Angular Frontend → My Backend API (.Net Core 2.1).

Please note my Backend API wont issue any further requests to another API.

For my angular frontend im using the implicit grant to get and accesstoken and IDtoken.
The question is wether to reuse the accesstoken in my Backend API or the Id-Token.

Accordingly to the Auth0 Documentation i should use the access token to secure my API.
Altough as far is I understand this would be the case if my API is standalone.
In my case the API is part of the same application as my frontend therefore using the ID-Token could suffice?

Personally i would prefer using the accesstoken and revalidate it with auth0 in the backend.
But i couldn’t find any resource how to accomplish this (preferibly with built-in ways of .net core).
The quickstart guide only shows how to parse a JWT.
In my case the access-token is an opaque string, though.

nicolas_sabena · December 30, 2018, 12:31pm

Hi Benjamin.
To request an access token that will be valid to make requests to your API, make to that you either:

indicate the audience parameter in the authorization request (e.g. audience:"your-api-identifier")
Configure a Default Audience in the Tenant Settings. This is a sensible option if you’ll mostly have only one API protected by your Auth0 domain.

By providing an audience (either by default or explicit), the issued Access Token will be a JWT token which the backend API will be able to validate according to the configuration. Make sure to configure the right audience (the API identifier) and the Auth0 domain (the issuer).

system · August 28, 2019, 2:57pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.