So I have an Angular SPA gaming website that allows users to store non-sensitive data on an API backed by MySQL. Users authorize with Auth0, simply so I can store and fetch their data separate from other users. Since I don’t store any sensitive information, I’m not very concerned about long lived tokens, and I would like to have my tokens last for weeks to months. I’m using the implicit grant method for my SPA
First I used the Angular Auth0 quickstart guide to enable authorization, and get an id token and access token, check. The access token is way too short to be a JWT and would not work with my PHP backend API, but I was able to checkJWT on the id token. Unfortunately the ID token only lasts 2 hours and after reading more documentation I learned that I should not be using the ID token for API access. (I get it, the id token could be altered and resigned by the client app, so it’s not trustworthy)
After more reading, I realized that I need to supply the API backend as the “audience” during authorization, after which I’m given a properly formed JWT access token I can use for API access. Great, but that access token only lasts a maximum of 24 hours.
Also the access token doesn’t have an “email” attribute, which is what I’m using as my user identification on my backend. Ok, I read that I can use the access token on the /userinfo endpoint to fetch profile information including the user’s email. Great.
Now all the queries to my API fail “Too many retries”? What? I’m rate limited to the /userinfo endpoint to 5 per minute?? Ok, that’s not the right solution. Ok I read up on rules… I can use rules to add attributes to the access token after authorization using rules. Ok, I can add the user.email attribute to my access token, and avoid the /userinfo endpoint.
Seems like I had to jump through a lot of hoops and make lots of mistakes to do very basic/standard authorization? And even with all this working, I’ve only managed to increase my token lifetime from 2 hours to 24 hours?
Can I go longer than 24 hours with implicit grant?