I’ve put the specifics about my app at the end of this post.
This is the scenario which best explains my confusion:
The access_token looks something like this:
15sn1HEigklptyZbck7T3Z8tc*******and from what I can tell I shouldn’t be able to parse anything from it, but I should use it to do authorized HTTP requests against my backend, by attaching it to the Authorization of requests. Is this correct?
However, looking at some samples on how to implement token verification in my API, most of them show how to decode the JWT from the Authorization header on the request. But the access_token isn’t a JWT - at least that’s not what I’m getting in my authentication response. How come?
I made a rough sketch on how I assume things should work.
- The client passes the credentials that the user entered to Auth0, which passes the request to the appropriate authorization provider (Google, LinkedIn, Database connection)
- The provider answers if the credentials are good and if so returns the users profile to Auth0
- Then Auth0 generates an access_token for the client and returns the profile (id_token) and access_token to the client
- The client passes the access_token to the backend with each request
Is this correct?
Some specifics about my app
I have a bunch of clients which all are SPAs:
- Chrome extension
- Web app
- Mobile app
The backend API is a Node.js server.
My client in Auth0 only provide authentication against a Auth0 Database connection.