First a disclaimer and an apology: I’ve done a bunch of reading over the last few hours in an attempt to grasp the concepts and best practices before asking my question: the quick start guides, the SPA & custom API guide, the difference between ID Token and Access Token, etc. I can’t seem to wrap my head around it. Sorry.
Next, my goal: I have a SPA. I want end-users to be able to authenticate using either a username and password (using Auth0’s provided username-password-authentication) or one of my two connectors (Google and Microsoft). I have an API that the SPA (and, theoretically, any other consumer) will use to get work done. This API should be able to assess that a user has the proper scopes to perform the actions.
What I need help with: I think I understand that when a user signs in in the SPA, they will be authenticating with Auth0 (for user-pass-auth) or the with Google or Microsoft. The SPA will get an ID Token and an Access Token. The access token’s audience is the SPA, correct? So how do I turn around and authenticate that user with my first-party API so that I can get an Access Token whose audience is the API so that calls can be made in order to do work?