I am porting an existing Spring app (server side Java, Spring, MySQL) into using Auth0 for authentication. My server provides a RESTful API for the business functions. It currently handles logins insecurely.
When I convert to Auth0 there will be an Auth0 user list (I envision at least name, password, maybe contact info) on the Auth0 server. I still need a user list in my own server for business purposes, such as assigning user responsibilities. I don’t want to push everything to the Auth0 user list because I believe that wrongly couples authentication with the business model.
When a person logs in through Auth0 the remote user record authenticates the person. My server then gets a token which provides info for me to fetch the business model user record. For an existing user this works OK.
So what will be my data architecture?
I want to create a new business model user record for a person. I need the user’s identity (username, password) entered somewhere as well as business-model information. I don’t think I want to handle the identity within my program – the user might merely access my program by way of Auth0, by way of Google identity. I doubt that Auth0 even knows the (username, password) combo. Is there a sequence or procedure for creating an Auth0 user record, then my business model record?
I want to vet a user. I don’t want some robot to create masses of fake users that I must later weed out.
I don’t want just anyone to login to my system. You might have a Google login and an Auth0 account. That doesn’t mean my server should automatically accept your Auth0 authentication and create a business model user record for you.
So my proposed sequence is:
Admin gets email that person wants to be on my system.
I create a business model user record for that person.
I reply to the person, saying that you do (WAVES HANDS) and that creates the Auth0 right for my program and stores the authentication in my business model user table.
With what logic do I replace the WAVES HANDS?