I’ve been going over this for a couple hours and think I have a good solution to it but I’m looking for some help or criticism to work out any kinks I may have made and missed.
End goal is to have multiple frontends that can connect to multiple (or just one, if you want to simplify the problem) Nodejs APIs while keeping it easy to maintain.
I’m assuming that using the same Auth0 Application for each frontend is bad practice, so I will have one Auth0 Application for each frontend. Following a successful login on any given frontend they a access token can be retrieved and used to make authorized API calls.
Then on the backend, I will have configured a middleware using express-jwt and family to validate the passed token before executing API requests. In my experience thus far, I used the client ID, audience, etc from these Auth0 frontend application to create this middleware. In the event that this given API has more than one frontend that will talk to it, I would create a second middleware with the different Auth0 parameters. I am not sure what happens when you use two middlewares like this as I haven’t tested it yet.
This solution is attractive to me bc if I can eventually package these various middlewares, then in the event of another API being created, I can simply include the packaged middleware and viola! The new backend can be reached by existing applications.
But this is just my current hope/plan, please poke holes in it or steer me in the right direction as needed.
An alternate approach would be sort of the inverse: use the Auth0 provider for each of my frontends and then have some custom JS that requests a token for the API(s) it has access to and then use that for requests. This seems to run the risk of handling multiple tokens unnecessarily.