My goal has always been to implement the architecture proposed in this article. Basically I want access tokens (i.e. opaque) to be exchanged on the internet, and ID token (i.e. JWT) inside my private network. With Auth0 I’ve used the following architecture:
My web client uses Auth0.js to login, auth0 sends both access token and JWT. All API calls to my backend server go through an API Gateway (edge service) which expects the access token to be passed in the headers. The edge service will then call
/userinfo endpoint from auth0 to get the user profile. It then creates its own JWT using this profile, signed with my own keys as opposed to the Auth0 key.
This has the major drawback of making a call to Auth0 for every API call, so I’ve added caching of the
/userinfo response. However this API call does not return the expiry date of the access token. Thus, if I use the access token as the key in my cache, I cannot know when this access token will expire.
Is there a way in Auth0 to know the expiry date of an access token?
Alternatively, is there a better architecture? Do people usually send an ID token to their backend so it can be verified without calls to Auth0?