I am using Auth0 with Weweb (Front-end builder). The integration currently doesn’t allow me to define an “audience”. Therefore, I only get back the logged in user’s data & an opaque token.
I am using Xano as my BE and I need access to the actual JWT token for the user in order to validate and grant them access to resources after validating their token with Auth0.
I am thinking one of these could help (If they do exist):
Somehow exchange the Opaque token through an authenticated API Management (Client secret, ID, etc…) to get an actual JWP user token.
OR, generate a new token for the user and then use this generated token within Xano by first validating with Auth0 and then giving the necessary access to the resources.
A 3rd option which is less secure would be to just ignore the JWT token and directly pass the user data after they are authenticated to Xano. But in this case, there is no validation that I could do between Xano and Auth0 to make sure the user is who he is.
Would appreciate any ideas to find a practical solution.
As @phi1ipp mentions, register an (custom) API with Auth0. Then set the Default Audience for your Auth0 Tenant (see here for details) to the Identifier associated with your custom API, and that way you’ll automatically generate an Access Token for the required audience without needing to specify an audience parameter,
The latter: audience - whether explicitly specified using the audience parameter or implicitly using the Default Audience parameter - is basically the Identifier associated with the (custom) API you’ve defined to Auth0. Whilst Identifier might often look like a URL, it is in fact a URI; whilst not mandatory, Auth0 recommend the use of a URI as an API Identifier in order to mitigate name clashes which might otherwise create potential security issues.