Implement API authorized flow after social login

Good Afternoon Guys.

I’m trying to implement the following flow in order to create a completely separated frontend and backend environemtn for an application that I’m coding.
The idea is to not manage the user but to rely on some external “source of identity” such as Google, that will deal with the verification of users and so on.

I attach this image with my idea

This is what i did:

  1. I created a native application on Auth0, configured the login, callback and tested everything.
  2. Modified my app code so that the user’s application will redirect the user to the login and retrieve both access token and id token.
  3. Application will send the access token and id token to my flask backend (As shown in figure), at this point i will decrypt it and check it’s validity using the PEM certificate to validate the signature.

I then started working with the decryption of the access token but then i got a little bit lost between audiences, opaque tokens and so on.

Am i doing something wrong? Is there a way to do this better?

I’m looking for some indications.


Hi @alessandro.mini96,

Welcome to the Auth0 Community!

This flow sounds generally correct. The only thing I’m seeing is that you are sending both the Access Token and ID Token to your backend. Typically, the ID token is not meant to be consumed by the backend, and would instead be used by the client to populate the user’s profile info etc.

I would suggest taking a look at this doc, it is very similar to your set up:

Also if you have any specific questions, I’m happy to answer them.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.