Basic Concepts: Client-side authentication, server-side validation

So, new to auth0 here, and we’re trying to work out basic concepts here.

We have a react UI, and it seems like we can just manage authentication by communicating directly from it with auth0: Auth0 React SDK Quickstarts: Login

However, we have a backend API (python/django) with which we need to make authenticated requests (database queries and the like) based on a given user’s permissions. We’re not quite sure what kind of model we should be following here: Do we have the backend manage auth0 through the django SDK? And then somehow authenticate the frontend with tokens? If we have the frontend communicate directly with the auth0 api, how do we inform the backend of new user creations, and how do do user management between our frontend and our backend?

Hi there @komali2 welcome to the community!

I definitely recommend first checking out this page which outlines the SPA + API architectural scenario. This should provide you a high level overview of the concepts involved. Essentially, your frontend will handle authenticating a user and obtaining tokens (ID/Access tokens) whereas your backend will be responsible for validating those tokens and making decisions based on the scopes/permissions granted. For an even higher level overview of Identity fundamentals, this video series can be super helpful - I revisit it often! :smile:

We do also have a Python/Django sample that may be worth looking into - You can find that here.

Hope this helps get you started in the right direction!

3 Likes

Thank you, that documentation was super helpful and really well written.

One thing we’re confused about is how we can just use auth0 as… Is the term identity provider? Basically we have a massively complex permissions use case that we wanna manage on our database with Django models etc. We’re wondering how we can use auth0 to basically validate, say, a Google account, and then identify that against a user account in our database (or register that in our database). It seems to use the frontend SDK for this would involve doing all the verification on the frontend, then sending Identity information to the backend to verify again / register?

1 Like

Hey @komali2! Sorry for the delay here, but wanted to see if you made any further progress on this.

This sounds like you may want to use a social connection against your Auth0 tenant - Basically, you can allow users to authenticate with a social identity provider (in this case google) and then Auth0 will have store information about that in the user’s details, in particular the identities array.

You can also access similar information via the event object available in actions.

Some more on Identity Provider Access Tokens:

Hope this helps!