I’ve read a tonne of documentation and somehow I’m still a little unsure precisely what I should recall on my back-end (using the Node.js SDK) to resolve a passed user token (i.e. the token that is the result of a successful universal login).
In the docs for the SDK there’s the getProfile method - is this the authoritative source of whether a token is valid, or is there some other method/endpoint I should be calling?
Thanks. I’m just trying to figure out the back-end part of the flow. I’m really new to all this and haven’t used JWT before.
So are you saying that my back-end, on being passed an auth token (i.e. a JWT), should first validate it with the library you linked to, and then call the getProfile endpoint on Auth0? Is it these TWO steps which, combined, constitute the successful confirmation that a JWT represents an authenticated user, or just the first (the second (get profile) being necessary only if you actually want the profile details)?
Wouldn’t merely calling getProfile suffice, without validating the JWT first? I’m speaking from total ignorance here so this is probably a terrible idea, but I’m just trying to get it clear in my head. Surely if I do nothing other than try to get profile, that either succeeds (the JWT was valid) or fails (it wasn’t), ergo that step alone constitutes validating the token?
I realise I’m asking some real basics here so I appreciate your patience and help!
Technically speaking, because getProfile does require a valid access (it’ll throw an error if not) it could serve as a rudimentary check on the access token. It is just not best practice as it does more than just validate the token - Validating the token first and then performing subsequent actions makes more sense as your use case becomes more complex (as opposed to relying on getProfile).
Thank you! So just to wrap this up, you’re saying I should first validate the JWT, using the library you mentioned. When I do this, could you clarify what precisely I’m looking for in that validation? Am I checking for a particular item in the decoded token? And only then, if we pass that stage, do I call getProfile(), right?