First post Here !!
We are trying to set up auth0 authentication + authorization in our “regular API project”
We started by creating a SPA application with the help of auth0 page, which gives the code already setp up with domain / audience.
The login is SUCESSFUL. But when we get the user that and print the token, and paste it in JWT.IO, it does not look valid. It warns about “BAD SIGNATURE”
The SPA samples seems to have an"API SERVER" running at 3001 appart from the login app at 3000 (we are using REACT).
From my understanding, SPA projects are expected to ask for the token directly and not for a code since they wont have a back end while regular api ones are expected to negotiate a code an them send to the back end to exchange it by a token
Also I was told that the token is broken because it is encrypted. I know it is SIGNED, but coudnt find any info about encription. I was told that because, otherwise, you are under risk of someone trying to edit the permisions array.
What we are missing ? The idea is to have a look at the token, and see the permisions array and test it with multiple users (with different roles / permisions). But JWTis not validating it.
Have a great day.