SPA, GraphQL and microservices

I’ve trawled the auth0 community and blog posts but cannot find a complete answer to the following:

Current setup of auth0

  • Utilising RBAC (give a user a role, and that role has permissions from APIs assigned to it
  • When logging in, we have a rule that grabs the users roles and permissions and adds them to the access token

What we would like our architecture to be

  1. SPA frontend that is hosted statically somewhere
  2. Public GraphQL that is a thin proxy that calls our private microservices
  3. Our private microservices that are not available over the internet (but graphql can call them)

SPA
A dashboard for users to log in on app.example.com

This is an application in auth0.

GraphQL
Our public graphql server on api.example.com/graphql

This is an API in auth0.

Microservice #1: Blog Posts
An API in auth0 that has the following scopes:

  • read:posts
  • write:posts

Microservice #2: Media API
An API in auth0 that has the following scopes:

  • read:media
  • write:media

User
User has role “Admin”, which grants all scopes from both APIs.

Question
How can we have the user log into the SPA, and then use their access token to call multiple API’s in auth0?

I can’t find a clear answer of how to allow a user call multiple APIs from the SPA via graphql. GraphQL obviously amalgamates multiple APIs and we want the user to be able to call all APIs they have access to without re-authenticating.

I’m open to any solution that would be deemed best practice.