Tools:
javascript SDK auth0-js version 9.14.0
This is my application flow at high level.
Client (ReactJS) <-> Server (NodeJS Backend)
I linked the client to the Universal Login (Auth0) to facilitate the authentication process which works seamlessly and I’m able to sign up and sign in, however I’m not able to implement the authorization process that well.
This is a snippet from my frontend project:
this.auth0 = new auth0.WebAuth({
domain: auth.domain,
clientID: auth.clientID,
audience: auth.audience,
redirectUri: auth.redirect,
responseType: "token id_token",
scope: "openid email profile"
})
This indeed returns an access token and an id token, however the access token is just a sample opaque string which is not a JWT and which is not useable by the BE. Even supplying the aud didn’t change the format of the access token.
Ideally, I’d like to keep the idToken only in the client as it contains sensitive information and transmit the access token from the client to the backend through an Authorization header. There I’d like to validate the token and extract the user id from the sub property.
I’d assume also that the permissions that I set for that user should be also part of claims in the access_token after login. I find a bit confusing the auth0 documentation and I couldn’t understand how I can achieve that. Could you please give me a hint?
