Hi, I’m little confused how to achieve the following scenario, where my Frontend (SPA) will access a REST API including the current authenticated Auth0-User and the roles, that was linked to this particular user:
SPA contains Auth0-SignUp/SignIn capabilities
After a SignUp in the SPA, user will be created in Backend via REST API and Post-Creation-Hook
After SignIn, my SPA will get the UserID of my backend via meta_data of the Auth0-User
When accessing my Backend via Rest-API, an AccessToken (JWT) will be obtained and be validated on the Backend
This is what I have so far.
But now I don’t want just to create a “global” accessToken for my own REST API, which was created with grant_type “credentials”, clientId and clientSecret.
Instead, I want to create a JWT-token for the current authenticated User that my Backend can check not only, if the general JWT token is valid, but also, which user was responsible for this specific API request.
You would want to register your API within your Auth0 tenant, this will allow you to make /authorize requests with the API’s identifier as the audience. When you provide an audience, Auth0 will provide a token that is supposed to be consumed by that API.
You can then use the access token your user gained from the above flow to control what the user can and cannot do on your API, by sending it as a bearer token in their requests to your API endpoints, and the user in question should appear as the sub (subject) claim of the token
You can also further customise what claims appear in the access tokens beyond the standard; either through Rules, our built in Role Based Access Control (RBAC), or a combination of the two: