I was curious if anyone else has, or considered, passing both the user access token and a machine to machine access token from their bff servers to their common api service to enable authorization of the user, but also authentication of the whole request chain.
Does this make any sense? If so, are people just using two request headers to pass these tokens around.
To further the insanity, to get the users email address, wouldn’t I need to pass the user id token or call Auth0 API from our common api service?
We all need a sanity check every once in a while . It sounds like you might be working around a common pattern. Can you tell us more about what you are trying to do? A quick example flow could be helpful.
I am trying to allow our backend system to handle user-level authorization, while also enforcing all requests to our backend system only come from our approved frontend systems. They idea would be that if an unauthorized person/application in our VPC was able to intercept the incoming valid requests, they wouldn’t be able to act as a man-in-the-middle.
For that reason, I was considering sending both a machine to machine access token to prove our frontend systems are authenticated to talk to the backend, but also the user access token to allow the backend to provide user data access/mutation authorization.
Hopefully that was additive and not just repeating my initial comment.
The user’s access token is already authenticating the request, a M2M token is not necessary. You may need a M2M for the backend to access API services, but that is seperate from the user.
You shouldn’t get M2M tokens as a SPA anyways. Anyone who has access to the React app can inspect the client and grab the client id and secret and act as the application.
@dan.woda Just confirming something you stated above.
The user’s Access Token can be trusted and used for authentication? I thought only the IdToken should be trusted for authentication based on the Auth0 docs I found.
If the access token can be trusted for authentication, why have the delineation between Id and Access tokens? Fundamentally I need the user identifier and their permissions, it would seem that I would just select the access token and forget about the IdToken.
Access Tokens must never be used for authentication. Access Tokens cannot tell if the user has authenticated. The only user information the Access Token possesses is the user ID, located in the sub claim. Tokens