Hello Auth0 community!
I’m trying to develop authentication for a JS SDK. This JS SDK would used in external web applications which maybe a SPA or a regular web app. The end goal is build something similar to Shopify’s session tokens seen here for frontend usage.
In particular, I’m trying to use the SPAs using their backend to obtain and forward tokens back to the JS layer technique. The main reason to use this and not Auth Code with PKCE is that the external system’s backend would typically have my system’s “account level” API Key - and would use that to authenticate, and not user level Auth0 access tokens. Very few users of the external system have an identity in my system. My application uses Auth0’s user level access tokens as well where those few external users need it.
Here I think Auth0 is turning out to be solely a JWT generation, validation service via a single M2M application. Mainly so that I don’t have to re-implement such things, since I already use Auth0 heavily for other use cases in the app (via the enterprise tier).
The diagram below outlines the use-case in more detail
Is this kind of a setup ok? I don’t see any problems with it per-se, but haven’t seen it discussed elsewhere, i.e. as seen here, Auth0 has a JWT generation and validation service via a M2M application.
Any comments, thoughts would be much appreciated. Thanks!