New IAM developer here. I’m working with an existing React SPA + GraphQL API + Mongodb setup, and I’m trying to move user authentication out of our API and into Auth0.
Using the documentations, I’ve been able to set up User Login in the SPA which returns User ID (sub) and OIDC scopes.
However, I want this information to safely reach the API, not the SPA.
Next, I tried to implement M2M, and successfully received an access token in the SPA from Auth0, which I was able to verify in the API. However, this contained no user information (the user never logs in), and the “sub” was the Client ID, not a User ID. It also didn’t contain anything I could call Auth0 with to get the logged in user’s information with (again, user never logged in, so this flow feels wrong).
What I want to achieve in the end is the user sending GraphQL requests to our API, together with a JWT (Bearer token) that I can use to authorize the user in the API.
To get to this point, my intuition tells me that I want to have the user log in through Auth0 in the SPA, receive a token, send that token to the API, verify it there and find user ID inside, then use the GraphQL request and the User ID to safely make calls to the Mongodb. The GraphQL API is NOT closed, but requires a verified User ID for certain authorizations that we want to handle on the API side.
I don’t know if this is the right flow, or if it’s the best flow when using Auth0, but since every documentation I’ve read so far has been stellar, I would love to find one that explains how to implement this flow.
Should I just POST the User ID in the first flow to our API, and make a JWT there (close to what we used to do, except the User ID used to be confirmed inside our API)?
Any guidance is highly appreciated!