I have a multi-tenant stateless REST API built in Symfony/Laravel which i’m aiming to outsource the authentication/authorization functionality for. I’ve read up on all the available tutorials but am still slightly baffled by parts of Auth0. We have multiple SPAs talking to the same endpoints which require a basic form of SSO. They have accompanying mobile apps.
The SPA/app does authentication in its UI and needs to receive access/refresh JWT tokens. The database is in Mongo, and has a “subscriber” foreign key on each user record to link it to the parent Auth0 record.
Is there a purely JS way to get an access token from a simple login (i.e. design our own form), or does it have to be an OAuth2 modal with HTTP callback?
Once a JWT access token has been received from Auth0, how can the (separate/remote) PHP backend check the validity of that token and the user’s permissions on each request? Having a middleware which contacts Auth0 each time is heavy on latency, and what happens if a user is deleted/revoked during the validity period of the token?
What i’m trying to ascertain is what the API should do when it is presented with a Bearer header - working on the assumption no input should not be trusted and all supplied data could be malicious or fraudulent. Is this as simple as parsing out the “sub” field of the JS and resolving it against the users table or collection?
- When creating/seeding mock (fake) users in the database, we need to associate each record with an Auth0 subscriber ID. Is there a way to create and delete “fake” users for testing purposes within the Auth0 database?
Thanks in advance!