If you have two separate API’s because they have a different security context and hence one api has a longer lifetime and the other a shorter one.
How would you implement handling the two different access tokens required in the application side with the Auth0’s express openid connect library GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.?
Hey there @mhautala great question!
While we typically recommend a single logical API approach, this doesn’t exactly make sense for your use case.
I haven’t tried this out myself but I believe our SDKs should be able to handle multiple access tokens - That is, you will need to make a separate authorize request for each audience and use the resulting tokens against the relevant API.
Yes I think it is pretty clear how to handle this in a generic way - if you would not use any SDK and build it your self with a few redirects, callbacks and a post request.
But a lot of our clients are using the express-openid-connect library and looks like it doesn’t at least document any way to handle two separate audiences. I guess the way to do it would to create two instances of the middleware and mount those in separate paths.
There is a comment implying something like this in this issue:
Hey @mhautala thanks for getting back to me - Thanks for sharing a link.
In that case, I recommend opening up an issue against the SDK itself to verify how or if you can handle multiple audiences/tokens. If you do please link that here if possible, thank you!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.