I have a traditional web application, and I am planning on using auth0 for its support for multiple social logins.
Authorization will not be done using JWT claims, as there are scenarios where a user could have many different roles, and permission model is strongly coupled to business logic (user X can access Y if X’s user id is stored in the db record for Y).
The idea is that auth0 will be used for authentication (we know user X is the one making the request), but authorization decisions (can X access resource Y) will be done in the backend based on whether Y is associated with X.
My question is: what token should my (server-side) web-app pass onto APIs (which I own) it calls? Should it be the ID token because I only am passing only who is logged in (authentication), or should it be the access token, even though no authorization information will be contained?
It seems like the backend API is really concerned about authentication in this scenario, but I am not sure as I go back and forth when reading various docs. I’ve also read things saying not to use access tokens for authentication, but that kind of feels like what I would be doing.
Thanks for the detailed description of your use case
This is a common question for which there is plenty of “controversy” around. Basically, as long as your client and API are within the logical bounds of the same application it may be OK to use the ID Token in this way. I won’t go into too much detail here but the following response in a blog discussion is really helpful.
Here is the video that is referenced, also very helpful!
Albeit a bit confusing, hopefully this helps to clear things up a bit!