I’m new to Auth0 and have read some of your documentation (you have quite a lot)
And i still cannot figure how to do a proper Login/Auth and APIs protection solution with Auth0.
- I have a mobile application (iOS), so i have create a Native app on my Auth0 tenant. Everything is configured correctly so that the Login/Logout on the mobile works with Auth0 and some test users defined in a User/Pwd Database Connection.
- I have a dozens of different APIs that this mobile application have to call to do “something”. For now, i only created 2 APIs in my Auth0 tenant for tests purpose.
- I activated the RBAC option on each custom API, added some specific permissions on each API, create 1 Role that have access to both APIs, and assigned that role to my test users. (manually without rule) When i request for an access token when login in, i expect to get all permissions so that i can request any APIs i have been granted to with a unique token.
- I have an API Gateway product which route traffic to my API implementations. I’m using Traefik (Enterprise) I was thinking to just use their JWT Authentication middleware to validate the token with the jwks endpoint + filter the routing based on permissions claim.
According to the Auth0 documentation and the test i have performed so far, the returned access token when a user Log into the mobile application is Opaque since the specified audience for a native app is the /userinfo endpoint.
Because of that and the fact that Auth0 do not provide any introspection endpoint, this access token is quite unusable and therefore useless in term of API access.
Again, on your documentation & example, you says : well, just call it with the audience matching your custom API defined in Auth0 (and without the openid scope else it would be also opaque by default) and you get a clear and standard JWT token.
Fine, this is working as documented. But…
- Such token would only contains the permissions related to that API (not any other API a user would be granted through RBAC settings / group permissions)
- For a dozen of different APIs, i need to make a WebAuth() call with each API audience to get a jwt token per API. Then my mobile application have to manage them (with their respective refresh token) and the code responsible to call each APIs also need to know which token to pass in the authorization header…
That’s just a big mess right ?
So what are the other options i did not get yet to cover such a common use case ?