Backend for frontend: Create own cookie, don’t use a proxy, don’t use auth0 cookie?

Hello all!

I’ve been thinking about a way to migrate an existing cookie based application to Auth0.
Currently the Backend API authenticates a user with name and password and issues a cookie for the SPA.

My first simple approach to mimic this with auth0 is to use OpenIdConnect in the backend:

  1. User gets redirected to Auth0
  2. Callback lands in the backend, requests includes the Auth0 ID
  3. Backend creates its own new cookie, only keeps Auth0 ID for internal authorization controls

From what I understand usually in a Backend for Frontend pattern there is an additional API layer that only implements the auth flow and acts as a proxy to the “real” API.

So my approach is certainly not the default.
By only using Auth0 to get the Auth0 ID and after that ignoring Auth0… what do I lose?

Normally the backend would handle refresh tokens, invalidated access etc.
But if my own cookie has a short lifespan and the user gets redirected to auth0 every time he starts a new session… Is it even necessary to to introduce this additional proxy layer?