SPA + API + Database Flow (Newbie question)


New IAM developer here. I’m working with an existing React SPA + GraphQL API + Mongodb setup, and I’m trying to move user authentication out of our API and into Auth0.
Using the documentations, I’ve been able to set up User Login in the SPA which returns User ID (sub) and OIDC scopes.
However, I want this information to safely reach the API, not the SPA.

Next, I tried to implement M2M, and successfully received an access token in the SPA from Auth0, which I was able to verify in the API. However, this contained no user information (the user never logs in), and the “sub” was the Client ID, not a User ID. It also didn’t contain anything I could call Auth0 with to get the logged in user’s information with (again, user never logged in, so this flow feels wrong).

What I want to achieve in the end is the user sending GraphQL requests to our API, together with a JWT (Bearer token) that I can use to authorize the user in the API.
To get to this point, my intuition tells me that I want to have the user log in through Auth0 in the SPA, receive a token, send that token to the API, verify it there and find user ID inside, then use the GraphQL request and the User ID to safely make calls to the Mongodb. The GraphQL API is NOT closed, but requires a verified User ID for certain authorizations that we want to handle on the API side.

I don’t know if this is the right flow, or if it’s the best flow when using Auth0, but since every documentation I’ve read so far has been stellar, I would love to find one that explains how to implement this flow.

Should I just POST the User ID in the first flow to our API, and make a JWT there (close to what we used to do, except the User ID used to be confirmed inside our API)?

Any guidance is highly appreciated!

Best regards,

What you describe should be covered in a general way by this scenario documentation ( Have you already gone through this documentation?

If not I would recommend that as a starting point and any specific questions can be handled here or in a new post.


@jmangelo Thank you for your reply!
I clicked myself through the link, and found that my access token in the first flow (where the user only logs into the SPA) was simply lacking the correct audience in the Auth0Provider, and just adding that gave a completely different access token that the API (using the same calls and JWT checks as I implemented in the M2M flow) that my API was able to verify correctly and extract the user’s information from.

I also located a clue to what I believe is my last big hurdle (custom Enterprise Connection is only returning user sub, not any of the user information that I would expect to find with the scopes), so I’ll make a new post for that.

Best regards,