When a user tries to signup, I have a rule which redirects to my server (Express/NodeJS) where the user has to enter some details and click save and I make a POST request to an endpoint/API in my server
- How can my endpoint know which user is trying to signup, so that I can authorise and render the correct response?
- From my server, how can I store some data in
user_metadata
for that particular user?
The reference documentation, in particular this section, cover your first point. The example used in the documentation uses a JWT token created at the rule and sent the external endpoint and also another token when sending back to Auth0, however, if you only need to send information one way your scenario will even be more simple.
In relation to your second point, your server can be registered an a non-interactive client application in Auth0 which would allow it (after being correctly configured/authorized to the Management API) to perform a client credentials grant in order to obtain a token that could be used to call the Management API and as such update the metadata of a user.
Thank you! Now it makes a lot of sense. Which signing algorithm does the reference documentation (which you mentioned) use? HS256 or RS256? How can I verify these tokens from my API? Right now I’m using a middleware as shown in the quickstart page of my API (using express-jwt and jwks-rsa). Is it exactly the same? I cannot use a middleware since the token is given to me as a query param, right? How do I decode the jwt?
The example uses HS256
and since in the example the rules also receive a JWT token back there’s sample code for the verification part also. Like you mentioned, given the token needs to be delivered through the query string the use of middleware may not be possible if it expects the token in an header. However, handling that route specially without middleware and manually validating the token like shown on the sample code should not be much more complex.
Thank you @jmangelo. This helped me a lot! Loving the Auth0 community and of course the product itself!