How to handle multiple api's and access tokens with express-openid-connect

If you have two separate API’s because they have a different security context and hence one api has a longer lifetime and the other a shorter one.

How would you implement handling the two different access tokens required in the application side with the Auth0’s express openid connect library GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.?

Hey there @mhautala great question!

While we typically recommend a single logical API approach, this doesn’t exactly make sense for your use case.

I haven’t tried this out myself but I believe our SDKs should be able to handle multiple access tokens - That is, you will need to make a separate authorize request for each audience and use the resulting tokens against the relevant API.

Yes I think it is pretty clear how to handle this in a generic way - if you would not use any SDK and build it your self with a few redirects, callbacks and a post request.

But a lot of our clients are using the express-openid-connect library and looks like it doesn’t at least document any way to handle two separate audiences. I guess the way to do it would to create two instances of the middleware and mount those in separate paths.

There is a comment implying something like this in this issue:

Hey @mhautala thanks for getting back to me - Thanks for sharing a link.

In that case, I recommend opening up an issue against the SDK itself to verify how or if you can handle multiple audiences/tokens. If you do please link that here if possible, thank you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.