I’m trying to make up my mind of how to implement this. I am not very happy to have to do this when auth0 already has the solution ready, but at least I’ll try to understand how much work would be involved.
In my scenario I still have a SPA client and an API. If I understand correctly, I can leverage the API to store refresh tokens and provide access tokens to my SPA. I have a lot of gaps to fill to fully understand how this could work.
- User opens the SPA in the browser
- SPA checks if there is an access token in the local storage. If missing/expired, it must be renewed
Here I am already confused:
- If the user never logged in, I can ask auth0 to provide an authorization code. After user gives consent, the browser is redirected to the API on some endpoint. My backend API calls auth0 and exchanges the code for a refresh token and access token. The refresh token is stored in the backend, the access token is returned to the SPA
- If the user logged in before and everything went well, then the backend should have a refresh token stored. My backend could use it to retrieve an access token and return it to the SPA
What I don’t understand is that in case 1, I need to call auth0 for getting an authorization code, while in case 2 I need to go to my backend directly. What can I use to distinguish the cases? Then what credentials can I provide to my backend? In case 1 I have the code, but in case 2 I have nothing.
One possible solution is to use the id token. At step 1, I could return back the id token to my SPA and store it, then use it as a proof to my backend. But id tokens expire too, and that’s not their purpose. It seems I am stuck again, and basically reimplementing what auth0 already does natively.
Also, what about 3rd pary apps trying to use my API? Whey’d need to use auth0 to authenticate users, and they’ll expire too after 3 days / 30 days max.
This is getting too complex for something that should work out of the box. After all, once I am logged in google account, runtastic, etc. I am almost never logged out, or at least expirations may be 1 year.