Auth0 JWT AWS Native Mobile app with Login

Hi everyone,

I completed the following tutorial, which was fantastic btw, well done, but would like some advice on architecture and design of the backend of a mobile app - making sure I’m going about it the right way, as I’m still quite new to AWS API gateway, Dynamo DB, Auth0, etc

I am making a native mobile app where people can login, see their duties, retrieve basic user information, change some values, add some rows to duties, and that’s it.

The initial state of the native app is LoggedOut, with just a prompt of 2 fields.

The login process I want a very basic setup of:

  • type in UserID (3 digit number)
  • type in temporary (12hr) passcode (6 digit number).

This then checks the details are correct, and takes the MAC address of the device, authenticating the device with a persistent login (until the user selects Logout) and then removes the 6 digit login number

I’m not sure whether I should be managing those details in Auth0 for all users, or the DynamoDB part of AWS with all the user details. Rather than adding 100 users in Auth0 it would perhaps be simpler to be adding them to DynamoDB? I’m still getting my head around a flat DB design and not a large Normalised Relational SQL DB

As the device is in a “logged in” state, I assume it will have saved the token locally which it appends to each future request. If a 401 returns then it requests a new token and does the initial user request again.

I would like to expand this in future with Roles too, where some users logged in will have access to other types of pages, managed by the UI.

Just looking for a bit of guidance to where I should be looking for an architecture like this.

Many thanks in advance,
Jammo

Hi @jammo,

Thanks for posting a thorough topic! :grinning_face_with_smiling_eyes:

There is quite a bit going on here, and I’ll try to help with some parts. If you have specific questions, please add them, that will help narrow down how to respond.

I would reconsider this schema unless you are absolutely limited to it. It goes against NIST guidelines. Is there a reason you aren’t using something more common like an email/password?

Have you considered using refresh tokens?

You can user RBAC, and add roles to the tokens in a rule.

What framework are you using for your mobile app?