Good Afternoon Guys.
I’m trying to implement the following flow in order to create a completely separated frontend and backend environemtn for an application that I’m coding.
The idea is to not manage the user but to rely on some external “source of identity” such as Google, that will deal with the verification of users and so on.
I attach this image with my idea
This is what i did:
- I created a native application on Auth0, configured the login, callback and tested everything.
- Modified my app code so that the user’s application will redirect the user to the login and retrieve both access token and id token.
- Application will send the access token and id token to my flask backend (As shown in figure), at this point i will decrypt it and check it’s validity using the PEM certificate to validate the signature.
I then started working with the decryption of the access token but then i got a little bit lost between audiences, opaque tokens and so on.
Am i doing something wrong? Is there a way to do this better?
I’m looking for some indications.