For a variety of reason we cannot use Auth0 lock or have client talk to Auth0 directly, as such, is the following proposed solution acceptable from a security point of view.
Our application consists of an SPA and native mobile apps that talk to a single API. Everything is over HTTPS.
For the SPA:
- The users enters username/password into the SPA and sends these to our API.
- Our API makes a request to Auth0 to get an access_token (JWT) and refresh_token via /oauth/token.
- The access_token is passed to the SPA along with a session id.
- The SPA stores the JWT in localStorage.
- The session id is in an HTTP only cookie.
- The refresh_token is stored on our secure API server and scoped to the users session.
- All subsequent requests pass the access_token (JWT) as a Authorization (bearer) header and the session id as a cookie implicitly.
- If the access_token (JWT) has expired a 401 is returned to the SPA.
- The SPA makes a request to a refresh endpoint and passes to it the session id and access_token (JWT), the session id is used to look up the refresh token from the session storage and a new access_token (JWT) is requested from Auth0.
- The new access_token (JWT) is then passed back to the SPA.
For the native mobile apps:
- The users enters username/password into the app and sends these to our API.
- Our API makes a request to Auth0 to get an access_token (JWT) and refresh_token via /oauth/token.
- Both the access_token (JWT) and refresh_token are passed back to the mobile app with nothing stored on our servers.
- All subsequent requests pass the access_token (JWT).
- If the access_token (JWT) has expired a 401 is returned to the mobile app.
- The mobile app makes a request to a refresh endpoint and passes both the access_token (JWT) and the refresh_token, the refresh token is used to gain a new access_token (JWT) from Auth0.
- The new access_token (JWT) is then passed back to the mobile app.
Any thoughts or suggestions on the process would be much appreciated.