I’ve got a react-native app and I’ve integrated the Facebook SDK. I’d like to use native apps to authenticate users and get an access token first, then exchange that token with Auth0 for an Auth0 created JWT.
Is this possible?
2 Likes
Hi, @geofflancaster!
Thank you for reaching out to us.
That’s the flow to get an access token, the users need to authenticate first.
Third-party Access Tokens are issued by Identity Providers after a user authenticates with that provider. Use the Access Tokens to call the API of the third-party provider that issued them. For example, an Access Token issued after authentication to Facebook could be used to call the Facebook Graph API.
The user authenticates with the IdP by making an HTTP GET call to the /api/v2/user/{user-id} endpoint. To call this endpoint you need a Access Tokens for the Management API that includes the read:user_idp_tokens scope. The Access Token for the IdP will be available in the identities array, under the element for the particular connection. For information on how to call an IdP API, see Call an Identity Provider API.
Validating tokens: If you have received an Access Token from an Identity Provider (IdP), in general, you don’t need to validate it. You can pass it to the issuing IdP, and the IdP takes care of the rest.
Please let me know if this information is helpful!
Actually the access_token from /api/v2/user/{user-id} is just the Facebook access token, which i already have.
I need to validate this token and get a Auth0 JWT token from it to make authenticated requests.
How do i get this token?
1 Like
@geofflancaster, @arturhaddad:
tl;dr: If JWT format is not sent to your client, it’s because you probably don’t have an audience specified.
An access token can be dispensed in one of two formats: JWT or opaque . You will not be able to validate an opaque token without the /userinfo endpoint. A JWT token can be validated on a client.
When making a request, be sure to include an audience field along with the domain, client ID and responseType.
More on how to validate JWT tokens here and here.
More on why Auth0 assumes it will need an opaque token without an audience here.
Hope this helps. Please reach out with any questions.