Currently I’ve written my SPA’s auth code with auth0 totally from scratch, not using any of the recommended APIs. I’m using the implicit grant flow so I can sign requests with the JWT access token from auth0 in HTTPS requests up to my third party API to verify the user sending them is a real user.
I’d like to move to auth0.js so I can get checkSession() and properly/silently refresh the SPA’s login tokens without disrupting the user. That whole workflow is clear. What I cannot figure out is how do I get the access token out of auth0.js to send to my API server?
When you do checkSession(), you provide a callback function to receive the authentication results. E.g.:
webAuth.checkSession({}, function (err, authResult) {
if (err) {
console.log(err); // something went wrong.
} else {
// authResult will contain the accessToken, its
// expiration (expiresIn), the idToken if applicable,
// state and other values.
// see https://github.com/auth0/auth0.js/blob/7af18eed4ea587e1e09a77ed69188d6b7e17171c/src/web-auth/index.js#L311-L323
// for possible values that you might get here
var renewedAccessToken = authResult.accessToken;
});