Basic Auth0 question about JWT id_tokens and Universal Login flow

Hi! I’m a newbie struggling to wrap my head around Auth0 and I’ve a basic question (well, many, but here’s the first one).

Does the JWT id_token ever get passed from Auth0 to a user’s browser, so that they can then use it to identify themselves to a web application (let’s say, PHP), perhaps storing it as a cookie, or not?

Hey @davidaventimiglia welcome to the community!

Totally understandable, there’s a lot to learn!

The ID token does indeed get passed from Auth0 (the authorization server) to a user’s browser. Token’s are typically stored in memory, but can also be stored in local storage. An ID token is the result of user authentication whereas an access token is the result of authorization. Here’s a super helpful video explaining the difference :slight_smile:

The following documentation is also helpful in providing a high level overview (I reference it often as a refresher):

Hope this helps!

Thank you for your help!!! If I wear out your patience, just let me know, but I do have a few follow-up questions.

  1. There’s an id_token and an access_token, and the former I guess identifies the user and proves that they’ve logged into (been validated by) Auth0, whereas the latter I guess grants access to an API. Question: do I need both? It seems like the id_token is essential, but I can’t figure out a use for the access_token in my application.
  2. Is it possible to achieve token storage (id_token and/or access_token) in the browser in memory or local storage without JavaScript and the Auth0 SDK? I’m guessing “no” but again I’m trying to build up an accurate mental model of this stuff.

Happy to help!

The access token is used to call an API - Typically, this is added as a header in a request to an external API at which point the API verifies it and additionally checks for permissions. Some libraries that do this can be found here.

You can technically use the Authentication API to carry out most login functionality typically managed by Auth0 SDKS - The API will return tokens, but storage would be entirely up to you at that point without an SDK.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.