Appropriate token usage for 1p webapp

I have a traditional web application, and I am planning on using auth0 for its support for multiple social logins.

Authorization will not be done using JWT claims, as there are scenarios where a user could have many different roles, and permission model is strongly coupled to business logic (user X can access Y if X’s user id is stored in the db record for Y).

The idea is that auth0 will be used for authentication (we know user X is the one making the request), but authorization decisions (can X access resource Y) will be done in the backend based on whether Y is associated with X.

What trips me up is the claims an ID token is for authentication, while an access token is for calling an API with authorization. Why You Should Always Use Access Tokens to Secure an API

My question is: what token should my (server-side) web-app pass onto APIs (which I own) it calls? Should it be the ID token because I only am passing only who is logged in (authentication), or should it be the access token, even though no authorization information will be contained?

It seems like the backend API is really concerned about authentication in this scenario, but I am not sure as I go back and forth when reading various docs. I’ve also read things saying not to use access tokens for authentication, but that kind of feels like what I would be doing.

Hey there @pdewilde welcome to the community!

Thanks for the detailed description of your use case :slight_smile:

This is a common question for which there is plenty of “controversy” around. Basically, as long as your client and API are within the logical bounds of the same application it may be OK to use the ID Token in this way. I won’t go into too much detail here but the following response in a blog discussion is really helpful.

Here is the video that is referenced, also very helpful!

Albeit a bit confusing, hopefully this helps to clear things up a bit!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.