I am authenticating users on the client (Flutter app) via Auth0, then wish to gate access to my API server to those users only. I would like the users to authenticate only the first time they use the app, and never again - certainly not each time they make a request to my server.
I suppose my question really is this: could I pass some access token, that I could acquire on the client, (as the user will already be authenticated by Auth0), directly to NGINX - and thereby grant access to my server. That is, the user would not have to reauthenticate with Auth0 when the request hits the server?
Thank you so much for your time, and apologies if I’m miles off base here - very new to this stuff and any help is thoroughly appreciated!
You are on the right track. Your API should be defined as an API in Auth0, and your flutter app should request an access token for it. This access token will have a lifetime, and when it expires, you use silent authentication to get a new one (or refresh tokens).
Those pages you linked to explain the best way to do authz with APIs.
I’m not sure what you mean by reverse-proxy vs. server.
If you are talking about many different APIs all fronted by an API Gateway, it is very common to validate the access token at the gateway and not in the API itself.
There are tradeoffs on this. For a single API, with respect to the access token, a gateway doesn’t provide additional security and is an additional point of failure. However, the gateway may provide other security features that are desirable.