My backend is Flask (Python) and my front end is SSR with next.js. I’m planning the workflow to issue new access tokens continuously, so the user can be logged in permanently. Furthermore, I need to store basic user information in my database (email, prof pic etc). After reading thoroughly the documentation and forums topics here and there, what I’ve got so far:
- User logins via auth0’s universal login
- Upon successful login, auth0 redirects back with a
code
, located in url path - Backend makes a POST request to auth0 with that code, and auth0 response back with an
access, id & refresh token
- From the ID token, I consume user’s data. Check if the user is registered or not
- If the user is not registered, a new record in database will be inserted with the contents of ID token
- Store
refresh token
in database - Send to client the access token and store it in a
http-only cookie
- Whenever a request is being made, backend checks for access token exp
- If the access token expires, backend makes a new request to auth0 with the refresh token, and auth0 issues a new access token
- Backend sends the new access token back to the client
- Whenever the client logs out, the refresh token is being erased from the database
- On next login, back to step 1.
Am I at the right path here?
Furthermore, I need admin and user rights. My current thought is
- Add permissions to API eg
create:tags
- Whenever an admin endpoint gets hit, I’m checking if those permissions exists in access token and authorize
Is this sufficient or should I create a different endpoint and auth0 API for admin operations?