Hello,
We are currently exploring auth0 as a identity management solution for our business. However, I am finding auth0 and its surrounding documentation to be incredibly obtuse and unclear.
In our flow, we have a simple signup form, i.e.
Email: __________________
Phone: _________________
Password: _____________
For business, legal, and technical reasons, we CAN NOT want to take the user to the universal login/account creation for signup. We must use our own in-house form rolled by our engineers in React JS.
I’m struggling to understand if this is possible or what steps would be involved. After looking at Call Your API Using Resource Owner Password Flow, I have tried the following flow:
- Upon user creation within our system, we make an API call to create user in auth0 database connection, registering their email and password in the DB.
- When the user fills out their login info on our form, we call the
/oauth/tokenendpoint with this payload:
{
grant_type: 'password',
username: email,
password,
client_id: getEnv('AUTH0_CLIENT_ID'),
client_secret: getEnv('AUTH0_CLIENT_SECRET'),
};
We then receive a JWT access token from auth0.
However…according to the docs, and my general feeling, this is intended for API access and not general user validation within your API. I’ve noticed strange things that totally break our existing passport/JWT integration, such as the audience field returning the CLIENT_ID and not the actual audience (seriously, what gives? this breaks any normal JWT-based auth flow)
Any help in clearing the fog here would be much appreciated.