I want to ask you about one thing. I have two apps - frontend and backend. After user has clicked on the SSO button and he approved scope, the resource server is redirecting user to the return_url (with access code as one of arguments) which is on the backend server. Now I’m able to exchange access code and I’m getting jwt token. I have to send this token to the frontend.
But I don’t know how I can do that. Because I have to redirect user to my frontend app, so I can add jwt token to url. Should I send jwt this way? For example https://frontendserver.com/jwt_token= ?
Is it a good solution? What do you think about it?
I was thinking along these lines too, however I think exposing the JWT might be risk and might be worth looking at implicit grant / silent authentication. But interested to have done definitive answer.
I think what you are looking to do is passing the token in the session or some sort of store. You can do this manually but that’s really not recommended.
Here is a list of extensions based on language/framework Auth0 recommends! Authorization Extension
Thanks for response. Could you add some information why do you think it is not recommended solution? I’m understand that I should use Auth0 plugin on production env, but I just curious about more ‘raw’ solution.
So, we have the browser which was just redirected from our page (the user clicked sso button) to some 3rd party page, which one redirect to our backend.
In this scenario we don’t have any session or nothing, because the last redirection was targeted onto backend endpoint.
Of course I can redirect again to our frontend app, but I see the passing JWT as url argument is the only option.
It looks like it should be safe - if we are using SSL
What do you think about it?