@thush - First, I appreciate your detailed posts here and checking back in with what you came up with. The time you spent here will definitely help other folks. Hopefully I can add a bit of clarity to this.
If I understand correctly ā¦ you are building a native application. While I canāt speak to Nativescript-Vue, I can hopefully help with the idea of a native app calling a Laravel API. Iāll answer some of your previous posts as well in case you still had some lingering questions.
When the user authenicates on the native app I get information such as an accessToken (although it seems quite short?
The access token you were seeing in your first post was one that is meant to be used against our userinfo endpoint (sends back the same user data that comes with the ID token).
So to follow up on this, I realized that if I change the audience for the webAuthentication() as shown here ā¦ To match the Identifier of my Auth0 API, then I am able to successfully authenicate and call the Laravel API.
You got it Adding that audience
to the request tells Auth0 that the native application wants an access token.
This would work completely fine but I feel like its a bit botchy? As in theory it allows for any authenicated request to get any userās data provided the specific email is given?
Once again, totally on the right track here. When your native app sends a user to login with that audience
(and scope
, if your API is built to provide different capabilities based on different scopes), itās requesting access to the API on behalf of a very specific user, the one logging in. As such, the API should only be providing the data that that specific user has access to.
Since in case tokens are comprised they shouldnāt be able to be used to get other userās information.
Even if it wasnāt compromised, you still want that the data returned to be specific for the user (and scope) of that access token.
I thought that you had to create a Auth0 application for each type of platform you deploy toā¦
You should have an Application created for each application that youāre creating that a user can log into using Auth0. Thatās a bit of a mouthful but ā¦ the native app definitely should have an Application and the Laraval-served API should have itās own API. If youāre using Auth0 to log in to the āemit analyticsā app as well, then that record is fine. The āemit APIā test application is created automatically and can probably be deleted.
But I added aditional callbacks for my regular web application and modified Token Endpoint Authentication Method to none, then I was able to authenicate the user on my native app through the Auth0 āweb applicationā
Your tenant doesnāt really care what app is doing what, really, and the application type thatās there is mostly to help guide you with the UI. If you create a regular application and then give that Client ID and Domain to a native app, it should work fine.
this then gives me an jwt access token (which allows to me to access my Laravel API routes with a jwt middleware BUT not my standard Laravel routes secured by the auth middleware) and a seperate id token (which contains user info).
Exactly correct.
So when I do the authenicate with the jwt access token, I noticed that the jwt itself contains a āsubā in the payload data ā therefore I can use this with my user repository in Laravel to find the specific āUserā model, and then do following actions from there!
Exactly
but I do still have a couple of doubts if Iām doing everything by best practice, Iām still unsure about this whole Auth0 āapplicationsā thing? i.e. should I have a separate application for my Laravel Web App and Native App?
I explained that above but it canāt hurt to go through it again.
Each entity that is accepting logins (or obtaining access tokens to call APIs or both) should have its own application, which will generate its own Client ID that you use in the individual applications. If both the web app and the native app pull from the same pool of users (as in, if I log into the web application with the same user account as the native application) then they should share the same connections (same database, if youāre using that, same social connections).
Hopefully that helps iron things out. Itās clear to me from this thread that we could be doing a better job of explaining all of this in our quickstarts and documentation. Once again, thank you very much for typing all of this out!