How to obtain an AccessToken for accessing my API containing current users information?

Hi, I’m little confused how to achieve the following scenario, where my Frontend (SPA) will access a REST API including the current authenticated Auth0-User and the roles, that was linked to this particular user:

  1. SPA contains Auth0-SignUp/SignIn capabilities
  2. After a SignUp in the SPA, user will be created in Backend via REST API and Post-Creation-Hook
  3. After SignIn, my SPA will get the UserID of my backend via meta_data of the Auth0-User
  4. When accessing my Backend via Rest-API, an AccessToken (JWT) will be obtained and be validated on the Backend

This is what I have so far.

But now I don’t want just to create a “global” accessToken for my own REST API, which was created with grant_type “credentials”, clientId and clientSecret.

Instead, I want to create a JWT-token for the current authenticated User that my Backend can check not only, if the general JWT token is valid, but also, which user was responsible for this specific API request.

What would be the right workflow for this?

Hi @clubbing, welcome to the community!

You would want to register your API within your Auth0 tenant, this will allow you to make /authorize requests with the API’s identifier as the audience. When you provide an audience, Auth0 will provide a token that is supposed to be consumed by that API.

As you are using a SPA, the recommended flow is Authorization Code with PKCE:

You can then use the access token your user gained from the above flow to control what the user can and cannot do on your API, by sending it as a bearer token in their requests to your API endpoints, and the user in question should appear as the sub (subject) claim of the token

You can also further customise what claims appear in the access tokens beyond the standard; either through Rules, our built in Role Based Access Control (RBAC), or a combination of the two:

Custom claims:

RBAC:

I hope that helps with your implementation!

2 Likes

Thanks Steve for providing that detailed write-up!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.