So I’m experimenting using Auth0 with a:
- Front end SPA website (e.g. React or Angular2) + something simple like ‘Lock’.
- Backend API in .NET or .NET Core (but again, could be anything).
When I play around with the Auth0 React Sample it easily logs me in and logs out. Great! If the user didn’t exist, then it creates a new user i the Auth0 ‘database’ (for my account).
Now - I’m wondering if the following is possible:
- Goto website. User not logged in.
- Click ‘sign in/create account’
- Sign in/Create new account modal is displayed (i.e. Lock modal). Offers Google/FB/u+p options.
- I click GOOGLE
- I do the Google-Auth-Dance.
- At some point, I now need to return from Google to … somewhere-in-my-app.
- I now attempt to create a new account in my database. E.g. POST /accounts/
- This returns some GUID which is like a unique Id for my user.
- Auth0 now gets told about this, stores this in the Auth0-DB (maybe
- The JWT token is now returned to the browser and includes this new GUID in it
Now - each call the React app makes to the backend API will include the
Bearer <token> header, which includes the GUID and voila! I can map/cache my private user data to the current request and “do whatever”.
I was wondering if this might be possible somehow with some server-side trickery? Maybe something like …
- Login/create account with Lock
- Once ‘done’ I now have a JWT with some unique id for my Auth0 user.
- I async call my backend API and create a new user. This can (optionally) hit the Auth0 api (server->server communications using an access_token?) to pull down some profile info, like Name, etc. I store this in my DB.
- Any new request to the API will include the standard
Bearer <token>header which includes this uniqueId … so I can then check that in my DB/cache and use whatever data I need.
I feel like this might be a weird solution … but defeats the purpose of what JWT’s are … like, JWT should have enough information already for me so I don’t need to keep hitting a DB or cache. It is the cached item! But I just don’t see how I can handle things like user-permissions (and these might change … e.g. promoting a user or demoting).
So - anyone have any suggestions / corrections to my understanding of things?