Auth0 Home Blog Docs

Possible to pass social provider access tokens back to client-side app?

access-token
social-provider

#1

I am new to Auth0 and authentication in general. I have come across https://community.auth0.com/questions/7991/possible-to-get-idp-access-token-without-server and am still confused about whether I am able to pass these access tokens back to my client-side app to be used to directly call the social provider APIs without going through a server.

The only thing I would be using a server for is to issue a client credentials grant using the read:user_idp_tokens scope. I don’t want to violate the terms of service for any social providers.


#2

You should not expose the social provider access token issued as part of the end-user authentication flow to the client-side application. The access token was issued as part of a server-side flow managed by your Auth0 domain on your behalf so exposing it to the client-side would break the expectation of the issuer, in particular, the social provider issued the token assuming it was for a server-side application and as such the access token may have characteristics that are only meant for such applications.

In conclusion, it would be technically possible, but you should not perform it.


#3