I hope you have a bit of patience for some, perhaps, silly questions.
Despite being a software professional several years, i have never been part of setting up auth. This has always been a functioning part of any backend i have worked on.
But now that i am working on a hobby project, it is just me - and i want to get it right.
My (intended) setup:
Web frontend - undefined language, perhaps react, blazor/wasm or razor pages
Backend - One frontend facing api. Perhaps several other services behind that.
I would like the user to be met with a login page if not logged in otherwise presented with the UI.
Since i am a backend dev, i started looking at the api part, and followed this:
It seems to work, and i get rejected as expected. But should there not be something to validate the token that is recieved. Is this really it?
Meaning, if my frontend redirects to a login, and send the resulting token - this would be trustworthy without me doing extra stuff?
I would expect to need to make a call somewhere to ensure the token is valid.
I would also like any other services behind the frontend facing api to be able to double check a token. E.g was it “cancelled” since the request was started.