Auth0 use user's access token for API calls best practice

Hey everybody,

I would like to discuss the general best practices around using user access tokens to communicate with a third-party API and make sure I’m doing things right.

Assume we have a web application where the user can click “Sign in with GitHub”. After a successful login we give the user what I assume is an Auth0 access token that we can use to verify the user’s identity. And the website provides a basic wrapper around viewing GitHub repository data. To get this data we need to make API calls to GitHub’s API using the user’s GitHub access token.

What I’m wondering is what is the best practice to using the user’s GitHub access token to make these API calls.

Would it be:

  • Give the GitHub’s access token directly to the client and have API calls being directly from the browser
  • Have a reverse proxy intercept the GitHub API calls by retrieving the user’s GitHub access token from Auth0 and patch the authorization header

If the solution is to use a reverse proxy approach, does the reverse proxy itself need a special Auth0 service access token to make API calls to retrieve the identity provider access tokens or does it use the user’s Auth0 token? I’ve come across this: Identity Provider Access Tokens which is helpful. The problem with this is that it returns a big list of users and their access tokens for the different providers. Does that mean that the reverse proxy should cache these credentials somewhere?

Keen to hear what people have to say!

Would be interested in an answer too! Particularly if it is fine to expose the access token in the client to communicate with the external API. In my case, Hasura.