Best practice with a custom authentication flow

Hi there!

I’m doing a research on the options available for the auth flow that I have in my mind and I have a little bit of a struggle to choose the correct way. Let me describe how and where it should work so you can give me your thoughts.

So let’s say I have the super simple backend which has an API secured by Auth0 middleware.

Now, I’ve got an app (let it be a browser extension but it could be anything) where I’d like to implement my own login page. Imagine I have a simple html page with 2 inputs for login/password and an action button (“Login”). I don’t want the user to be redirected to the Auth0 landing/login page. I want their login data be sent to the Auth0 authentication API and get access/refresh tokens in the response. I don’t understand what is the point of the callback URL in this case, since the best option would be to have the tokens being returned as a JSON response, and upon success I would manually use those tokens with my backend, store them and do whatever I want.

I’ve also came across the problem, that I am unable to obtain the refresh token.

I’m using /authorize endpoint to get the code with offline_access scope, then I’m trying to request /oauth/token but only access_token is returned.

I’ve read that only with PKCE you can get refresh tokens, is that true? If yes, why only Native and Single-Page applications are mentioned for PKCE? I’ve got a simple Node.js backend server, which has got a couple of endpoints that are secured by Auth0. My Chrome extension authorizes the user and I want to obtain the refresh_token along with the access_token in order for users to be able to use my API without any extra interactions after they authorized or until they will log out.

What am I missing?

Just tried implementing PKCE into my App and still only got access_token in response. Is this due to my app being a Regular Web App and not the Native/Single-Page? But what if I need refresh tokens for my app and it seems to be more of a regular web app, than one of those?

The API documentation says:

I am including the “offline_access” scope and I’ve enabled the “Allow OfflineAccess” for my API. No refresh_token being returned from oauth/token.

Ok, used the “Monitoring” tool and it clearly says the following:

So how should I deal with the refresh tokens in my app, which turns out to be a Chrome extension with a simple Node.js backend?

Hi @yegor211

The short answer is “don’t do what you are doing”.

There are YEARS of security experience in the design of the standard authentication flows. Don’t produce custom ones. You WILL open your app up with security holes.

With your architecture, you should use either the PKCE flow (treating your app as a SPA) or Auth Code (treating your app as a classic web app). For both approaches, you will use the Universal Login Page and NOT host the login page yourself.

John

2 Likes

Thanks for the answer!

So anyway, there is an option to use an embedded login, which is also a way to go right?

But let’s skip this for now. I will use a normal universal login page.

I am mostly concerned about access restriction to some of my backend endpoints in my app, which turns out to be a Chrome extension.

I’ve went through your docs a lot and my head is filled out with lots of information. I’d be glad to hear an answer from you to the following question: how should the authorization be done in my app, so that once the user logs in, he can use my app easily until he logs out of it, assuming the session is infinite? Since the Chrome extension is a browser application, the tokens must be stored locally. But that is not allowed, the refresh token is not returned from the oauth/token endpoint for the browser, so I cannot code the logic behind token rotation. How should the refresh token be obtained and stored in order for my app to be able to refresh the access token when I need?

Hi @yegor211

Your app is considered to be a SPA, so will require the Auth Code + PKCE flow

For refresh tokens, see this blog post: Securing Single Page Applications with Refresh Token Rotation

John

1 Like

Thank you, I will try that stuff out and will get back to you with result.

Let us know if you have any other questions down the road!