How to obtain an AccessToken for accessing my API containing current users information?

Hi, I’m little confused how to achieve the following scenario, where my Frontend (SPA) will access a REST API including the current authenticated Auth0-User and the roles, that was linked to this particular user:

1. SPA contains Auth0-SignUp/SignIn capabilities
2. After a SignUp in the SPA, user will be created in Backend via REST API and Post-Creation-Hook
3. After SignIn, my SPA will get the UserID of my backend via meta_data of the Auth0-User
4. When accessing my Backend via Rest-API, an AccessToken (JWT) will be obtained and be validated on the Backend

This is what I have so far.

But now I don’t want just to create a “global” accessToken for my own REST API, which was created with grant_type “credentials”, clientId and clientSecret.

Instead, I want to create a JWT-token for the current authenticated User that my Backend can check not only, if the general JWT token is valid, but also, which user was responsible for this specific API request.

What would be the right workflow for this?

Hi @clubbing, welcome to the community!

You would want to register your API within your Auth0 tenant, this will allow you to make /authorize requests with the API’s identifier as the audience. When you provide an audience, Auth0 will provide a token that is supposed to be consumed by that API.

• Register APIs

As you are using a SPA, the recommended flow is Authorization Code with PKCE:

• Authorization Code Flow with Proof Key for Code Exchange (PKCE)
• Call Your API Using the Authorization Code Flow with PKCE

You can then use the access token your user gained from the above flow to control what the user can and cannot do on your API, by sending it as a bearer token in their requests to your API endpoints, and the user in question should appear as the sub (subject) claim of the token

• Use Access Tokens
• Validate Access Tokens

You can also further customise what claims appear in the access tokens beyond the standard; either through Rules, our built in Role Based Access Control (RBAC), or a combination of the two:

Custom claims:

• Create Custom Claims
• Sample Use Cases: Scopes and Claims

RBAC:

• Role-Based Access Control
• https://auth0.com/docs/authorization/how-to-use-auth0s-core-authorization-feature-set
• Enable Role-Based Access Control for APIs

I hope that helps with your implementation!

Thanks Steve for providing that detailed write-up!