I have the following use-case: I have a Nuxt website where my users should log in to via Auth0 OAuth. I want to use their Access Token to communicate with an API which is hosted on a different domain. However, if I use the application type “Single Page Application” in Auth0 I only get an opaque access token for the user, but when making requests to my API I’d love to validate the access token without having to query auth0’s userinfo endpoint all the time.
So my questions are:
Do I have to use a “Machine to Machine” application instead of a “Single Page Application” in Auth0 for this use case?
Would it be totally fine to use a “Single Page Application” and query the userinfo endpoint for every request or maybe I could cache auth0’s response for a few minutes per opaque token?
What other methods would I have to authenticate a user with my API, if not with the opaque access token?
Thank you very much for your time in advance.
Edit: So I found out, that I can get a non-opaque JWT when specifying the audience int he authorization request. So far so good, but I don’t get a refresh token anymore? How could I refresh the access token without a refresh token?
Awesome, glad you were able to get this sorted You should definitely still be able to get refresh tokens in a SPA, and this is the recommended approach.
Thank you very much for your reply, @tyf. I have now set it up correctly, I think.
I have set the audience parameter in the OAuth request which holds an URL which I’ve specified in one of my APIs in the Auth0 management console. This gives me an access_token as well as a refresh_token.
However, I’m wondering if this would now count as a “Machine to Machine Auth”?
Could I also just go with the opaque token instead and validate the opaque token in my API backend service and cache the response from auth0 or wouldn’t this be recommended?
You should definitely still be able to get refresh tokens in a SPA, and this is the recommended approach.