Looking around, having an SPA means you use the PKCE version of authorization flow. I’m extending an existing application (backend + frontend) to support OAuth2.0, with an external Auth0 service. Auth0 runs on a different URL too, if that matters.
So loading in an initially massive HTML + AngularJS, then querying backends for data that is then substituted, sounds like an SPA.
What I thought, is that I’d just use:
And then do the logic on the backend. Create the redirect, and when the “login with auth0” is clicked, redirect the user to the authorize URL. There they log in, and are redirected back. I parse out the authorization code, and trade it for an access token (in the backend, not frontend). Using this, I then retrieve the data (from the ID token JWT, or even making another request), like email, and create a local user, or directly log him in. According to Auth0 docs, using PKCE in this type of flow is not necessary because I get to safely store my client secret on the backend(although I haven’t really understood why).
Now, is there something wrong with this flow? Is the backend not supposed to be aware of the user’s access token?
Maybe this matters, but there is no “register” user here. Users are created on the authentication service.
I bet I’m missing something very obvious.