New to Auth0 --> making sure I'm on the right track 🧠

Hi all, I’m new to Auth0 and authentication in general, so bear with me if some of this should be obvious!

some context:
I am building a React SPA using the auth0-spa-js npm package. I got this working. Now I want to add a node.js backend with protect routes. Firstly, I want to only allow logged in users to access these routes. Later, I’d like to use roles (RBAC) to more tightly control access to specific resources.

For the front end portion I followed this tutorial and it is working well.

For the back end, my node.js API, I basically have a “hello world” app with a single route.

For simplicity, I want to only allow my users access to the app with username and password.

My understanding of the process is as follows:

  1. user authenticates with my Auth0 app, using email and pw, and receives an opaque access token
  2. user sends a request to the my node.js API for a protected resource
  3. My node.js sends a request to Auth0 (https://my-auth0-domain/userinfo) to decode the opaque access token. I need to to this to determine who the user is, and therefore if they have access.
  4. Auth0 returns the user info, in the form of:

result: {
sub: ‘auth0|dwe6rxxxxxxxxxxxxxxx’,
nickname: ‘mynickname’,
name: ‘’,
picture: ‘https://picture-url.png’,
updated_at: ‘2020-05-12T00:43:33.723Z’,
email: ‘’,
email_verified: true

So far, this is working!

My questions:

  1. Firstly, am i missing something obvious? :slight_smile:
  2. Does my API need to make HTTP requests to Auth0 (https://my-auth0-domain/userinfo) every time the user makes a request to a protected resource? Wouldn’t this slow down the app?
  3. Why am I getting an opaque access token from the auth0-spa-js instead of a JWT?
  4. Doesn’t the access token represent an authenticated user? If I could get a JWT with user info as the payload, could skip the decode step to /userinfo?
  5. How to handle RBAC? I am thinking of managing all RBAC information in my own separate relational database, and I am planning to have my own private Users table, which will have some duplicate fields as the ones stored somewhere in the Auth0 authentication server (like email, some sort of user ID, and name). In my mind this separates authentication (auth0) from authorization (authenticated users + my users table + my roles table). Is this standard?

Thanks in advance!

EDIT: OK i just realized this is in “community” and should probably be in “general” …

Hi @asdFletcher,

Welcome to the Community! I apologize for the delay on this topic.

There is a more streamlined way to do things here, let me explain.

  • Your React app should make an authentication request and the user will log in. (you are already doing this.) In this request, you will add the audience of any resources you want to access (your node API identifier).
  • The SPA will then send that token to the API and node will verify the token, and and scopes roles etc that are in it. If everything is valid, then the node app will make any actions to the db etc.

The node app should not need to talk to the Auth0 server. You should only need to request the token once, then not need another one until it expires or you need to request other resources.

  1. The app initiates the flow and redirects the browser to Auth0 (specifically to the /authorize endpoint), so the user can authenticate.
  2. Auth0 authenticates the user.
  3. Auth0 redirects the user to the app with an Access Token (and optionally an ID Token).
  4. The app can use the Access Token to call the API on behalf of the user.

Hope this helps. Let me know if you question, I will respond more quickly.



This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.