Authentication flow - how it works, am I getting it right?

Authentication flow. Let’s say I don’t need access_token to make queries to some API.


1. I am using React. I press login button, I being redirected to Auth0 server to enter email and password, I type them in, I am being redirected back to callback url in my app. As extra param I get access token. It is indicator that I was authorized. Now I can see protected pages in my app. What exactly should I do on callback page with access_token?

a) I see that it exists, I save flag ‘isLoggedIn’ to store? Then on each protected page I check it before render? But this is just data in redux store, I guess it is possible to easily hack it and change flag, am I right?

b) I save access_token to… somewhere? Where? In one tutorial you say it is unsafe, don’t do it, in another you suggest to save access_token in local storage. What to do? Can you give direct and ready to use answer, please? And what should I do with that token after I save it.

c) Or maby I don’t need to save token at all. Should I use some method to check token validity (aka checkSessionOnAuth0Side() ) in root component each time some rerender happens?

2. And the second part of question reffered to API.

This is how I did authentication and authorisation (but looks that something is broken now, I get errors). My apologise for dirty code. It is not working as an application (you may close browser immediately), it is just code, the most important part for you could understand conception.

Is it correct, am I do it a right way, can I use it? Look at the code, please.


Hi @alt1,

You should check out our React SDK. It takes care of these decisions for you. It will cache the access_token in memory, then retrieve it if it exists and is not expired, or requests a new one via silent authentication if your user has refreshed the page or the token is expired. Either way, these decisions are made by the SDK and you don’t have to worry about it.

Here is a link to our react quickstart:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.