SPA using an API through a WebSocket

I’ve been circeling around this problem for a while now, and I find myselft pretty close to a solid solution.

I want to share what I found before asking my questions. Both to give some context and to share some information that I found poorly communicated in the Auth0 Docs where WebSockets seems to be a banned word. In retrospect it is clear that a WebSocket can and should be treated the exact same way as a good old HTTP REST API, but when you are in the thick of it WebSockets seems like an entirely different animal.

I implemented authentication for my Single Page Application (SPA) using the pretty good JS tutorial / quick start.

I’ve also added an API representing the functionality in the backend which the frontend “talks to” over the WebSocket. I’ve added permissions to the API, and assigned these permissions to users. Remember to use Roles if you have a slightly more complex system.

By default the Access Token given by getTokenSilently is what is called an opaque token (from my understanding a token without any claims), which sole purpose is to allow for authenticating (identifying who logged in but NOT tell what the logged in user has access to).

When adding the backend API to the audience in the Auth0Client like so:

{
  "domain": "YOUR_DOMAIN",
  "clientId": "YOUR_CLIENT_ID",
  "audience": "YOUR_BACKEND_API_IDENTIFIER"  <-- This is added ! ! !
}

The Access Token will cease to be an opaque token but actually start containing claims.

Now by enabling RBAC and enabling Add Permissions in the Access Token on the backend API it will be possible to find user permissions on the Access Token (notice the last part of the made up token below):

{
  "iss": "https://my-issuer.eu.auth0.com/",
  "sub": "auth0|6g0cqf171e3d240eb0abb25d",
  "aud": [
    "https://my-issuer.com/awesome",
    "https://my-issuer.eu.auth0.com/userinfo"
  ],
  "iat": 1640042060,
  "exp": 1640128460,
  "scope": "openid profile email",
  "permissions": [
    "post:read",
    "post:create"
  ]
}

Alright this is as far as I got - now for the questions :smiley:

  1. Is the above good recipe for using WebSockets with Auth0?.. and if yes
  2. Should I use the Access Token to establish a WebSocket connection (the Access Token given by getTokenSilently)? Because I also have the ID Token given by getIdTokenClaims (hidden in the __raw property).
  3. Is the default of 24 hours expiery of API tokens good for WebSockets?.. it seems a bit much but I’m no security expert. Maybe it is good enough if I just reject Tokens issued more than a few mins ago. That would allow for WebSocket connection that doesn’t need to be refreshed often, while not being afraid that a leaked token could be used hours after it was supposed to be used.
  4. Is using Auth0 with WebSockets really such a rare sight as the documentation and posts in this forum suggests or am I just the only one having a hard time with it?