New to Auth0 - some basic questions

Hi everyone,

I’m new to Auth0. I have a front-end app and a back-end API, running on different domains.

  1. If a user logs in to my site via the browser, I get a code back in the query string of the callback. The docs say I should resolve this to a token. Should this be done on the client, or should the code be sent to a back-end endpoint and the request to retrieve a token done there?

  2. Having got the token somehow, I presume I should send that token to any and all requests to my back-end API. My API would then have to fire a request to Auth0 to validate the token i.e. check the user is logged in and that the API request is legal. Would I have to do anything special in Auth0 settings to enable this check from a separate domain other than that registered under my Auth0 application, or can this request come from anywhere, provided it’s sent with the Auth0 account credentials?

  3. I don’t want users to be able to sign-up freely. Only users in my own DB can login. How do I tell Auth0 to check that DB when deciding whether a login request is allowed?

Many thanks in advance!

Hi, @kkrp1

  1. on a client
  2. client gets an ID token, then you can use it to get an access token from Auth0. you can use this access token for your API. if you are using react SDK, there is a method getAccessTokenSilently. ref.: Auth0 React SDK Quickstarts: Call an API
  3. there is a way to disable sign ups, Authentication → database → disable sighn-ups
1 Like

Hey @kkrp1 welcome the community and Auth0!

We’ve got a bunch of quickstarts to help get you up and running with sample apps quickly. Additionally, I find our architecture scenarios docs very helpful as a high level overview.

In addition to @Tetiana’s responses:

  1. Most Auth0 SDKs provide methods for accomplishing this - It may be helpful to check out 1 of our many quickstarts.

  2. An ID token is not used nor required to get an Access Token from Auth0. Again, it depends on the technology you are using but any of the aforementioned quickstarts should be helpful. Our developer guides should be helpful as well - See React for example here.

  3. With signups disabled and your DB users imported, only those DB users will be able to log in.

Hope this helps get you rolling in the right direction!

Thank you, both! Appreciate the help.

@tyf - I did follow the “Node.js API Authorization By Example” but found it had issues. Specifically, I got an error, “AssertionError [ERR_ASSERTION]: An ‘audience’ is required to validate the ‘aud’ claim”, when starting the app, crashing it.

1 Like

Hey there @kkrp1 no problem, I’m happy to help where I can!

Assuming you are following this guide, the error specified leads me to believe that you haven’t added an audience value as an environment variable. Please see the section titles “Define the Auth0 environment variables”:

Your server should start up with an audience variable added.

Thank you! I’ll take a look at that. It does sound like I somehow missed that.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.