Should the Callback be set to the frontend SPA or to the Backend?

Hi there.

The premise :: We would like to implement SSO between our 2 SPA’s(one in AngularJS the other in Angular) the backends are implemented in Golang. I have some confusion on where the callback for login should be implemented.What is the best practice around this.

Can the callback url be to the backend, and once the token is received the backend redirects to the frontend. Will auth0 send the referrer url along with the request to callback url in this case?

Or If the callback url is directed to the frontend, then the access token received from auth0 needs to be send to the backend for every request. The API would use its secret to validate the token with auth0, and if valid, would return a 200 response.

Thanks

It would make more sense for the callback to be directed to the frontend.
Then you pass the access token in every request.
The upside is that if if you use a JWT as a token your backend only need to verify its signature and then it can trust its content (permissions etc …). So your backend doesn’t needs to talk to auth0 at all except at boot time usually to fetch the public key of your auth0 instance.