So I have an Angular SPA gaming website that allows users to store non-sensitive data on an API backed by MySQL. Users authorize with Auth0, simply so I can store and fetch their data separate from other users. Since I donāt store any sensitive information, Iām not very concerned about long lived tokens, and I would like to have my tokens last for weeks to months. Iām using the implicit grant method for my SPA
First I used the Angular Auth0 quickstart guide to enable authorization, and get an id token and access token, check. The access token is way too short to be a JWT and would not work with my PHP backend API, but I was able to checkJWT on the id token. Unfortunately the ID token only lasts 2 hours and after reading more documentation I learned that I should not be using the ID token for API access. (I get it, the id token could be altered and resigned by the client app, so itās not trustworthy)
After more reading, I realized that I need to supply the API backend as the āaudienceā during authorization, after which Iām given a properly formed JWT access token I can use for API access. Great, but that access token only lasts a maximum of 24 hours.
Also the access token doesnāt have an āemailā attribute, which is what Iām using as my user identification on my backend. Ok, I read that I can use the access token on the /userinfo endpoint to fetch profile information including the userās email. Great.
Now all the queries to my API fail āToo many retriesā? What? Iām rate limited to the /userinfo endpoint to 5 per minute?? Ok, thatās not the right solution. Ok I read up on rulesā¦ I can use rules to add attributes to the access token after authorization using rules. Ok, I can add the user.email attribute to my access token, and avoid the /userinfo endpoint.
Seems like I had to jump through a lot of hoops and make lots of mistakes to do very basic/standard authorization? And even with all this working, Iāve only managed to increase my token lifetime from 2 hours to 24 hours?
Can I go longer than 24 hours with implicit grant?