Auth0 Home Blog Docs

Pass JWT token to frontend

token
jwt
bearer-token
token-url
j

#1

Hi guys,

I want to ask you about one thing. I have two apps - frontend and backend. After user has clicked on the SSO button and he approved scope, the resource server is redirecting user to the return_url (with access code as one of arguments) which is on the backend server. Now I’m able to exchange access code and I’m getting jwt token. I have to send this token to the frontend.

But I don’t know how I can do that. Because I have to redirect user to my frontend app, so I can add jwt token to url. Should I send jwt this way? For example https://frontendserver.com/jwt_token= ?

Is it a good solution? What do you think about it?


#2

I was thinking along these lines too, however I think exposing the JWT might be risk and might be worth looking at implicit grant / silent authentication. But interested to have done definitive answer.


#3

Good question, and good thoughts. But…

I think what you are looking to do is passing the token in the session or some sort of store. You can do this manually but that’s really not recommended.
Here is a list of extensions based on language/framework Auth0 recommends! https://auth0.com/docs/extensions/authorization-extension/v2#how-to-install


#4

Thanks for response. Could you add some information why do you think it is not recommended solution? I’m understand that I should use Auth0 plugin on production env, but I just curious about more ‘raw’ solution.

So, we have the browser which was just redirected from our page (the user clicked sso button) to some 3rd party page, which one redirect to our backend.
In this scenario we don’t have any session or nothing, because the last redirection was targeted onto backend endpoint.
Of course I can redirect again to our frontend app, but I see the passing JWT as url argument is the only option.
It looks like it should be safe - if we are using SSL :slight_smile:
What do you think about it?


#5