The problem seems really simple: I’m developing an SPA as the frontend of our product. The app communicates most of the time with our API, so the audience of the ‘main’ access token is the URL of the API.
However, we would like to have a ‘profile’ page, where the user is able to add/edit profile information like phone number, name, etc. It would be nice if we could store this information in Auth0, as it’s already has a great profile structure that could handle all our needs.
Based on the documentation of the js lib, I need to explicitly add Auth0’s API as the audience, to get an access token with the privileges to edit the user info.
Since I can’t declare multiple auidances I see the following possible solutions:
- Implement my own ‘user-profile-service’ on our API and use Auth0’s client ID as the foreign key.
- Implement a proxy microservice on our API that authenticates the user with our audience and scopes and then uses an M2M client to update the info in Auth0. (This is basically the recommended solution)
- Authenticate the user twice: First when they login to the SPA, second when they navigate to the profile page. Then keep two access tokens/two clients.
I don’t like any of these options: The first two fail from the developer perspective, the 3rd from the user perspective.