How do I securely pass identity from the frontend to the backend?

matthew.neidig · November 18, 2020, 8:20pm

I’m interested in setting up a serverless C# backend, with a static website Angular frontend (using the auth0-angular package). This has a very normal flow:

Hide most of the Angular app behind the auth0 route guard, until they have signed in with the Universal Login
Append an access token to any API calls the Angular frontend make
The C# backend verifies the token before taking any action

One hitch was setting up the backend, since there is no Azure Functions C# quickstart. Thankfully, someone has an example on GitHub that works.

The final problem I’m running into, is that many of our API calls depend on knowing the identity of the user. Ideally, we want their nickname, and their ID in our database. We’ll need this information for many queries in all of our applications.

According to the docs, “Do not use ID tokens to gain access to an API,” and “Access tokens must never be used for authentication.”

So we run into an issue for basically any application… say it’s a photo gallery. We’ll need to only fetch photos the logged-in user owns, and only allow them to edit or delete photos they own. But auth0-angular only passes an access token to the backend, saying that the user is allowed to access the fetch photos endpoint. We don’t know the ID of the user. And I can’t just pass the user ID as a header or URL parameter - because then, any malicious person could get an access token to the endpoint, open up Postman, change the URL parameter from ‘John.Doe’ to ‘Jane.Doe’ or from ID ‘1’ to ID ‘2’, and pretend to be someone else.

So, what am I missing here? It seems we can use the /userinfo endpoint up to 5x a minute per user, which might work if we can cache the result - although, I don’t think this would be trivial on a serverless platform like Azure Functions. Can we make a scope for every ID in the database? Do we ignore your advice, and make some auth0 rule to append identity information to the access token? Should I add Angular code to also append the ID token to every API call, then verify both tokens on the backend?

What’s the best approach for this?

dan.woda · November 19, 2020, 8:33pm

Hi @matthew.neidig,

Welcome to the Community!

If you simply need a unique user identifier in the token, then you can use the sub claim in the access token. This is the user_id, which is unique to that user’s profile.

In addition, you can append information to the token using custom claims and a rule.

Hope this helps,
Dan

system · December 14, 2020, 4:35pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to finish securing this existing API? (using Auth0, .NET 8, Angular) Help user-profile , user-management	0	12	October 25, 2024
Accesstoken and Id-Token. Which one to use and how to validate an opaque accesstoken? Help	2	3141	August 28, 2019
Using Auth0 for C# WebAPI, Angular and WPF apps Help angular , wpf , c , webapi	4	5621	March 2, 2018
Open Id Connect Token Exchange and Auth0 Help	2	5163	December 25, 2018
Azure Functions Example C# Help auth0 , c , azure	3	5987	March 2, 2018

How do I securely pass identity from the frontend to the backend?

Related Topics