Hi all, Iâm new to Auth0 and authentication in general, so bear with me if some of this should be obvious!
some context:
I am building a React SPA using the auth0-spa-js npm package. I got this working. Now I want to add a node.js backend with protect routes. Firstly, I want to only allow logged in users to access these routes. Later, Iâd like to use roles (RBAC) to more tightly control access to specific resources.
For the front end portion I followed this tutorial and it is working well.
For the back end, my node.js API, I basically have a âhello worldâ app with a single route.
NOTE:
For simplicity, I want to only allow my users access to the app with username and password.
My understanding of the process is as follows:
- user authenticates with my Auth0 app, using email and pw, and receives an opaque access token
- user sends a request to the my node.js API for a protected resource
- My node.js sends a request to Auth0 (https://my-auth0-domain/userinfo) to decode the opaque access token. I need to to this to determine who the user is, and therefore if they have access.
- Auth0 returns the user info, in the form of:
result: {
sub: âauth0|dwe6rxxxxxxxxxxxxxxxâ,
nickname: âmynicknameâ,
name: âmyemail@company.comâ,
picture: âhttps://picture-url.pngâ,
updated_at: â2020-05-12T00:43:33.723Zâ,
email: âmyemail@company.comâ,
email_verified: true
}
So far, this is working!
My questions:
- Firstly, am i missing something obvious?
- Does my API need to make HTTP requests to Auth0 (https://my-auth0-domain/userinfo) every time the user makes a request to a protected resource? Wouldnât this slow down the app?
- Why am I getting an opaque access token from the auth0-spa-js instead of a JWT?
- Doesnât the access token represent an authenticated user? If I could get a JWT with user info as the payload, could skip the decode step to /userinfo?
- How to handle RBAC? I am thinking of managing all RBAC information in my own separate relational database, and I am planning to have my own private Users table, which will have some duplicate fields as the ones stored somewhere in the Auth0 authentication server (like email, some sort of user ID, and name). In my mind this separates authentication (auth0) from authorization (authenticated users + my users table + my roles table). Is this standard?
Thanks in advance!
EDIT: OK i just realized this is in âcommunityâ and should probably be in âgeneralâ âŠ