I am using Auth0 for my application. I want to keep a local copy of the user information. More specifically, I just want to grab the email so I have an easy way to contact users in the future if need be.
I’m a little bit confused with the flow of things. So the user goes through the whole OAuth song-and-dance using auth0 and they’re given an opaque access token. I’m then sending up that access token to my server POST /users
bearer access-token
. I’m then calling the User Profile GET API with that access token. I then subsequently store that information.
The flow of that seemed somewhat logical to me, until I think about subsequent calls to one of my APIs. Let’s say I have another endpoint POST /users/{userId}/notes
, how would I go about validating that the call is from the given user?