I am authenticating users on the client (Flutter app) via Auth0, then wish to gate access to my API server to those users only. I would like the users to authenticate only the first time they use the app, and never again - certainly not each time they make a request to my server.
I suppose my question really is this: could I pass some access token, that I could acquire on the client, (as the user will already be authenticated by Auth0), directly to NGINX - and thereby grant access to my server. That is, the user would not have to reauthenticate with Auth0 when the request hits the server?
Thank you so much for your time, and apologies if I’m miles off base here - very new to this stuff and any help is thoroughly appreciated!
You are on the right track. Your API should be defined as an API in Auth0, and your flutter app should request an access token for it. This access token will have a lifetime, and when it expires, you use silent authentication to get a new one (or refresh tokens).
First off - thank you so much! I think I’ve finally got a plan of action, that I’d like to run past you quickly if you don’t mind:
My API server is a flask application, and I plan to follow this tutorial: Auth0 Flask API Tutorial
My guess is that in implementing this SDK, and with my Flutter auth, I’ll be using this pattern: Call Your API Using the Device Authorization Flow
My only slight qualm regards security. In particular:
Is it better practice to delegate authorisation to a reverse-proxy than authenticate on the server?
Perhaps I’m just being overly cautious but it would be great if you could reassure me that I’m doing the right thing!
Again, thank you so much for your time,
Those pages you linked to explain the best way to do authz with APIs.
I’m not sure what you mean by reverse-proxy vs. server.
If you are talking about many different APIs all fronted by an API Gateway, it is very common to validate the access token at the gateway and not in the API itself.
There are tradeoffs on this. For a single API, with respect to the access token, a gateway doesn’t provide additional security and is an additional point of failure. However, the gateway may provide other security features that are desirable.
Apologies: by reverse-proxy I mean my NGINX web server and by server I mean my Flask application. What I really meant is an API Gateway!
My case is that of the single API, so it’s encouraging to hear that this approach seems best.