As I understand I need to use the oauth/token endpoint from my backend service in order to interact with the Management API. Since id tokens eventually expire I will need to ask for a refresh token because this backend worker will never be logged into by a user.
What is the best practice for determining when a new id token should be requested? Should I check the id token expiration before each call to the Management API and request a new token using the refresh token if it’s expired?
Example:
var token = GetCachedToken();
if (IsExpired(token)) { token = GetTokenFromRefreshToken(); }
new ManagementApiClient(token).CreateUser(...)
The recommended practice for your scenario is to obtain the access token to call the Management API by performing a client credentials grant. This grant does not imply or require user credentials, it obtains a token by providing only client application credentials (id and secret). In addition, have in mind that this grant can only be used by confidential client applications that are able to maintain the assigned secret secret.
You’re using this from a back-end so that certainly qualifies as a confidential client; if this back-end is already part of an application represented in Auth0 as a regular web application than you can reuse the client information to perform the client credentials grant; if not you can just create a new non-interactive client application to represent it. In both cases you’ll need to authorize it to call the Management API; see the reference docs on how to obtain Management API tokens for more information.
With the above approach there would not be a refresh token, but the client credentials would be an equivalent as they would also allow to continue to request new access tokens when the previous one expires. As an additional note, tokens sent to API’s are generally referred to as access tokens while ID tokens are tokens issued as part of OpenID Connect and that represent information about the user that performed authentication into a certain client application.