Auth0 client-service flow

Hi,
I wonder if you can define if this flow is right:
My Front App calling for my Back service to make login, I’m redirecting him to Auth0, he making login and Auth0 calling my backend callback endpoint, I’m getting JWT token, which has user info. I’m passing this token to Front App and every time Front is calling Back services, I’m validating against Auth0 this token.
I wonder if I can validate Auth0 token without calling their API (cos it takes time + hight latency of calls per API), or I need to sign my own JWT token and manage it against Front App?

what is the best solution?

Hi @andrey2

Is this a SPA or a classic web app? It sounds like a classic web app.

With a classic web app, you can create a session via a cookie and the front end doesn’t need to pass the JWT.

However, you should NOT need to call the Auth0 API to validate the JWT. You only need the signing keys and they don’t change very often, so you can get them, cache them, and from then on you can validate the token without any API call.

John

It’s a SPA, I prefer to use JWT token instead of session, in general I’m implementing passport Auth0 strategy and getting Auth0 JWT token, I can get user info from that, but after that I’m just using same Auth0 token to validate all my Api calls…I looked into Auth0 docs if I can define “salt” and reuse the same “salt” on my backend and not to sign my own JWT token instead.

Hi @andrey2

I’m a little confused. A JWT token can be either an access token or an ID token, which one is it?

You SHOULD use the access token to authorize calls to the back end (or you can use sessions, but that’s a different topic).

If used properly, the access token doesn’t need salt.

John

JWT as access token.
In general I found that I can fetch ‘signed keys’ from Auth0 and cache this info for token validation…as you said before. The only thing I still not so sure is how to get redirect link for login from backend and not from client app.