Our application architecture looks like:
[browser (react)] -> [bff server] -> [common api] -> [database]
I was curious if anyone else has, or considered, passing both the user access token and a machine to machine access token from their bff servers to their common api service to enable authorization of the user, but also authentication of the whole request chain.
Does this make any sense? If so, are people just using two request headers to pass these tokens around.
To further the insanity, to get the users email address, wouldn’t I need to pass the user id token or call Auth0 API from our common api service?
Thanks in advance for trying to even read this.