I’ve been thinking about a way to migrate an existing cookie based application to Auth0.
Currently the Backend API authenticates a user with name and password and issues a cookie for the SPA.
My first simple approach to mimic this with auth0 is to use OpenIdConnect in the backend:
- User gets redirected to Auth0
- Callback lands in the backend, requests includes the Auth0 ID
- Backend creates its own new cookie, only keeps Auth0 ID for internal authorization controls
From what I understand usually in a Backend for Frontend pattern there is an additional API layer that only implements the auth flow and acts as a proxy to the “real” API.
So my approach is certainly not the default.
By only using Auth0 to get the Auth0 ID and after that ignoring Auth0… what do I lose?
Normally the backend would handle refresh tokens, invalidated access etc.
But if my own cookie has a short lifespan and the user gets redirected to auth0 every time he starts a new session… Is it even necessary to to introduce this additional proxy layer?