Auth0 Home Blog Docs

LOCK and SPA, how does the server know if the access_token is valid ?

lock

#1

If a SPA auth’s with Auth0 and get’s it access_token, how can the server know if the client has a valid token or maybe their context/user data?


#2

When an access_token is passed to the server as a Bearer token, the server should perform the necessary validation. In short, the following checks should be performed:

  • Check that the JWT is well formed
  • Check the signature
  • Validate the standard claims
  • Check the client permissions (scopes)

These checks can be done using any of the relevant SDK’s - here is a sample implementation for a Node.js API:

https://auth0.com/docs/architecture-scenarios/application/server-api/api-implementation-nodejs

The following document provides more information on verifying access tokens:

https://auth0.com/docs/api-auth/tutorials/verify-access-token


#3

@prashant

I think I lost you by my explanation.

  1. Single Page Application uses LOCK to sign in and gets access_token.
  2. SPA makes API request to server, sends access_token.

How does the API server know if access_token from client is valid?


#4

@prashant

I think I see, so the SPA will forward the access_token to the server and then the server will do the validation on the jwt token.

Thank you


#5

@prashant

Can I please ask some more questions, I appreciate your help.

I understand now that the SPA will get a JWT token from LOCK. Then then it will pass it as a Header “Authorization : Bearer xx.xx.xx” to API server.

So if I am using HMACSHA256 in the signature, is the secret setup in Auth0 control panel and Auth0 will use that secret to make the JWT that LOCK will return to the SPA?

I hope that made sense. In other words if Auth0 and the API server knew the secret on JWT that makes total sense.


#6

@prashant
Will all the app_data, and user_data be in the payload?


#7

This is a separate question. Please read through the following docs on how to add app_metadata or user_metadata attributes to the token claims: https://auth0.com/docs/api-auth/tutorials/adoption/scope-custom-claims


#8

@prashant

I think I lost you by my explanation.

  1. Single Page Application uses LOCK to sign in and gets access_token.
  2. SPA makes API request to server, sends access_token.

How does the API server know if access_token from client is valid?


#9

@michaelwjoyner Please read the document I mention in my answer. That provides information on how the server knows if the access_token is valid. As mentioned, if you use one of our SDK’s, the SDK will do the necessary checks to validate the token, including checking the expiration, etc.


#10

@prashant

I think I see, so the SPA will forward the access_token to the server and then the server will do the validation on the jwt token.

Thank you


#11

Correct, the SPA will pass the access_token in the Authorization header when making a call to the API - the API will then validate this token.


#12

@prashant

Can I please ask some more questions, I appreciate your help.

I understand now that the SPA will get a JWT token from LOCK. Then then it will pass it as a Header “Authorization : Bearer xx.xx.xx” to API server.

So if I am using HMACSHA256 in the signature, is the secret setup in Auth0 control panel and Auth0 will use that secret to make the JWT that LOCK will return to the SPA?

I hope that made sense. In other words if Auth0 and the API server knew the secret on JWT that makes total sense.


#13

Correct. Note, that our recommended approach is to use RS256, to minimize the risk of leaking the client secret. If using RS256, the API will validate the token using the public key obtained from https://{YOUR_AUTH0_DOMAIN}/.well-known/jwks.json. This is outlined in the sample:

https://auth0.com/docs/architecture-scenarios/application/server-api/api-implementation-nodejs#secure-the-api-endpoints

If you choose to use HS256 (not recommended), the API will need to be configured with the client secret, which will be used to validate the signature of the token.


#14