Seeking Feedback on Proposed Solution: Is There a Simpler Approach?

daniel28 · January 7, 2025, 8:56am

Hello community,

I’m exploring a solution for accessing sensitive data (e.g., roles, permissions, username, and email address) in the backend for enhanced authorization. Currently, the JWT is encoded by Auth0, fetched by the frontend through the SDK, and then sent to the backend for decoding and authorization.

To avoid frequent requests to the Auth0 Management API v2 whenever a user tries to access a route, I aim to include this sensitive data in the JWT itself. My idea is to encrypt the sensitive data object in an Action and include it in the JWT payload. This would eliminate the need for repeated API calls and streamline backend authorization.

However, since our current plan doesn’t include the JSON Web Encryption (JWE) add-on, my approach involves encrypting only the sensitive data object (created in an Action) and decrypting it on the backend. As a result, the decoded JWT contains an encrypted sensitive data segment, like so:

{
“encrypted_user_data”: “29c08edced4c416405ef6b0516663d12:4613d30e7e649dfa4b99769e77f5abaebb5fe2f95ad4e9ddebfa5f925772e495cd9cea7910e49786e35a9ea8a0ae0138578712d02acbb22abe431320472c59e4d43e1e2b5b4fc54db8e37167c590753a2c49ce5310da7ff715478bae3f01d63f59dedd0a634b98c11343e65baa2de4489d0867085b06c84d610af4ae7550299ab4b08308fee74a3127f0974a29b16ee544dc5ea0e352f81b7bdf8e726d8ce60b0728fd0a05ef87cb5edbae290114b97fd44861358aade52a559c3cc8cc8f02049e114d311407a1ec7caf0934aeadd8800e486e86944ace8edf5a334f3dc1f28c469188776416020c21caf64ee4a7cdfac21a2020fd00e3bc515127a82979d45c”,
“iss”: “https://XXXXX.us.auth0.com/”,
“sub”: “xxxxxx”,
“aud”: [
“xxxxx”,
“https://xxxxxx.us.auth0.com/userinfo”
],
“iat”: 1736176221,
“exp”: 1736262621,
“scope”: “xxxxx”,
“org_id”: “org_xxxxxxx”,
“azp”: “xxxxxx”
}

Our technical stack is: React Vite on the frontend, Python Fastapi on the backend.

Could you please advise if this solution is valid, or is there a simpler and more efficient way to achieve the same goal?

Thank you for your time and guidance.

vigneshSivasamy · January 9, 2025, 2:19pm

From my experience, the best way to implement this is by using the Authorization Code with PKCE method.

Flow:

Use the Authorize endpoint to authenticate the user. Once the user is authenticated, Auth0 will provide a one-time authorization code.
Pass this authorization code to the backend API, where you securely store your client secret.
Using the token endpoint, you can request a token via the backend API channel with one time Authorization code and code Verifier. This method is secure, and you don’t need to encrypt the details.
I am recommending like instead of using SDK do the Implementation manually for your scenario.

https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/call-your-api-using-the-authorization-code-flow-with-pkce

Topic		Replies	Views
Encrypted JWT's (JWE?) with Lock Help jwe	2	7794	March 2, 2018
Need Help Identifying Encryption and Decoding JSON Data JWT.io	7	1236	November 4, 2023
Passing sensitive data through the token payload Help jwt , login	3	2079	May 4, 2022
Auth0 API authorization with Google App Engine Help authorization , api-authorization , google-app , auth0-api	4	5632	March 2, 2018
Hash/encrypt scopes in access token Help	5	4947	December 3, 2019

Seeking Feedback on Proposed Solution: Is There a Simpler Approach?

Related topics