I’m building a system that is using Auth0 for authentication, and I’m unsure how to properly use the
access_token. Or rather, I’m confused about which roles to assign to the various services in my setup.
I have a fully static frontend-application (SPA, HTML + JS) that ensures that the user is authenticated using the implicit flow against Auth0. The frontend-application then fetches data from an API that I am also building. Is the frontend the OAuth client, and my API service an OAuth protected resource, or are both the frontend and the backend API together the client?
If both my frontend and backend API can be considered to be the client, I see no real harm in using the
id_token as the bearer token on requests from my frontend to my backend - this is appealing because then I can simply verify the signed token on the backend, and I have all the information about the user that I need. If the API is considered a protected resource, I should probably use the access token, but then I have to connect to Auth0’s servers on every API request to both verify the token, and get basic user info?
I’ve read this: https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis which seems to suggest that the
access_token is the only valid token for use with my API. But like I said, I’m not sure about the roles of the individual services. And using the
id_tokenis tempting, because it requires no network connections on the backend, and contains information I need to extract the right data.
What is the right way to go about this?