How to set up a authorization code flow correctly?

Standard web application. Frontend+Backend(Golang). Frontend uses backend API
Regular Web Application type in auth0 dashboard. Using authorization code flow.
I am implementing this scenario:

1. The user goes to the personal account url(aka /login). The backend understands that it does not have a cookie and redirects to AuthURL auth0. The user sign up(sign in) through the login page (passed the authorization code flow). The resulting opaque access token backend save in a cookie. And also i save refresh token for this access token in database.
   Next, all API requests from the frontend are sent with the received opaque access token in cookie.
2. For each API request from the frontend like this, backend do this: validate the access token(signature) from the cookie → see if it is expired → if it is expired, then refresh it using refresh token. And set new access token in cookie. P.S. Refresh token rotation is on of course.

In this scenario I encountered 2 problems

• How to get a valid jwt access token(not opaque) whose signature I could then check. To get a valid jwt access token you need to use the API (not application) to be able to pass the “audience”, but for the API I can no longer use Regular web application type and authorization code flow, I get the error “Grant type ‘authorization_code’ not allowed for the client”. I can only use Mashine To Mashine application type and client credential flow.
• How to change the lifetime of an access token. By default it is 24 hours, which is quite a long time. And again, I can change the lifetime of the access token only if I use the API, encountering all the same consequences as in point 1

As a result, it turns out that if I use authorization code flow, then I cannot:

• I can`t check the received access token(opaque) for signature
• I can’t configure the access token lifetime

Could you please tell me if I understand everything correctly?

Hi @bryce.wayne.person

Thank you for posting your question,

Based on your description, you can create an API pointing to the backend; this way, when calling for an access token, you can pass your Backend API identifier as the audience, and your access token will be valid JWT. This way, you can set a shorter expiration date for the token.

Here’s a quickstart for Golang as API → Auth0 Go API SDK Quickstarts: Add authorization to a Go API

If you don’t want to follow that and continue to use the opaque access token, you are not supposed to validate them. Instead, they are validated on the Auth0 server when being passed in the request for the /userinfo endpoint.

I hope this answers your questions.
Thanks
Dawid

Thanks for the answer!
Could you tell me please, but if I use the API as you recommend, I will no longer be able to implement the authorization code flow(only client credential flow). And accordingly, I will not be able to show the sign in/sigh up page to user
Do I understand correctly?

Hi @bryce.wayne.person

You don’t need to switch to the client credential flow; you can still use the Authorization code flow. We have excellent documentation on how to call an API using the Authorization Code Flow with setup by setup guide → Call Your API Using the Authorization Code Flow

Thanks
Dawid

Thank you!
Now everything works as it should!
Please tell me the last question - in the received JWT access token in the aud field I get 2 audiences (an array of 2 values)

• audience of API is what I’m expecting
• and AUTH0_HOST/userinfo

Is it possible to prevent AUTH0_HOST/userinfo from coming?

Hi @bryce.wayne.person,

I’m glad it’s working! You can prevent it from happening by not including the openid in the scope of your request, but that also means that your token won’t be usable with the /user info endpoint, and your access token won’t include the user information.

Thanks
Dawid