Is this a good way of identifying users in the backend?

TheScannerGuy · August 16, 2022, 6:40am

I have a angular SPA on the frontend and a python flask API on the backend. I’m using Auth0 to authenticate the user. So on the frontend the user logs in and uses the user information to interact with the backend API.

What I want to do is to send the sub claim of the JWT and the user’s name in each request to the API. The API will then store the sub claim as the user’s id and the user’s name so it can identify the user.

Is this the most efficient way of doing it or am I missing something? Is it also secure storing the users name with the sub claim on my database?

dan.woda · August 24, 2022, 8:36pm

Hi @TheScannerGuy,

Welcome to the Auth0 Community!

You’d typically have the SPA making requests to your backend API with an access token instead of just sending the sub/user’s name. The token lets your API know the request is legitimate.

The sub claim is how you can identify the user in your DB. The access token will include the sub claim, which your API can use to associate the Access Token/request/user with a user in your DB.

This resource covers the scenario in depth: Single-Page Applications (SPA) with API

Topic		Replies	Views
SPA + Rails API passing auth0_id from front end to back - Best Practice Help	6	3608	July 3, 2019
Is it safe to directly send user ID to a backend DB? Help security-question-concern , security-compliance	2	295	June 6, 2024
What is the best approach to associate user information in my backend API? Help jwt , api	2	2244	August 9, 2021
Get User Data Server Side - what is a good approach? Help spa , data , get-user-info-using- , server-api	3	7991	July 25, 2019
Extract user_id from token in backend Help jwt , auth0	3	2587	January 19, 2021

Is this a good way of identifying users in the backend?

Related Topics