Confused about where to start

Hi all,

I’m looking to implement a NuxtJS front end with an express backend server. I will be hooking the express api server up to CouchDB via PouchDB for data etc.

I’m confused about how to setup authentication. Obviously I can just use the Auth0 to authenticate a user when they are online, but what happens when they are offline? I would have thought the user records would have to be in the local DB for the Auth0 callback to check they exist etc in order to authenticate.

How should I be structuring this so that the user can sign in regardless of connection state?

Thanks
Peter

hi @peter9,

Thank you for posting in Auth0 Community!

Auth0 uses OpenID Connect (OIDC) and OAuth 2.0 to authenticate users and get their authorization to access protected resources. With Auth0, you can easily support different flows in your own applications and APIs without worrying about the OAuth 2.0/OIDC specification or the other technical aspects of authentication and authorization.

Have you seen this doc: Authentication and Authorization Flows

It sounds like you are using a Regular Web App and will have to use the Authorization Code Flow.

Please let me know if this helpful!

Thanks Lily.
I was hoping for an easier way to do it. The issue I have is what happens with authentication when the client is offline and needs to sign in. I know you can use a callback function that will handle the authentication locally, but in order to do that, I would have to have a list of usernames and passwords stored in a local database.

I’m guessing that I will need to try and get a list of users from auth0 on startup of the web app. if online, download and keep a copy in a local DB for use when offline.

Hope there are some better skilled programmers out there that have a better solution… ?

@peter9,

Auth0 does not support any offline authentication and authorization. We don’t have any recommended mechanism for such functionality. We don’t suggest something like that to our customers. I would recommend avoiding caching password hash in the user device. It exposes security concern. Keep that in mind, saving user password in the device is not safe even though you use a strong encryption algorithm.

You could try getting a refresh token which are used after a user is authenticated and works with the Authorization Code Flow. After the user successfully authenticates and grants consent for the application to access the protected resource, the application will receive an authorization code that can be exchanged at the token endpoint for both an access and a refresh token. Understanding Refresh Tokens

You can also Allow Offline Access to an API: If this setting is enabled, Auth0 will allow applications to ask for Refresh Tokens for this API.

Hope this helps!

Thanks Lily. I can understand why you wouldn’t store passwords on the client.

I guess the best workflow then is (based off your suggestion):

  1. a user logins into the app (who has never done so before)

  2. the backend then checks if it has a stored auth/access token for the user. If won’t, so it sends it off to auth0 for authentication

  3. if it all works out, the auth/access token is stored by the back end and we allow the user in. If we are offline, the user is denied because we can’t authenticate.

  4. The user then tries to use the app when offline. In this case, the backend checks for a stored auth/access token, and it finds one, allowing the user in.

If the backend does not find one, then it denies the user (as we are offline and can’t authenticate)

If i have what you’re suggesting correct:

  1. How would the backend verify that the auth/access token is still valid if we are offline?
  2. How long should an auth/access token be valid for? is 7 days too long for example?

thanks for your help :slightly_smiling_face: