Auth0 Home Blog Docs

Using access_token instead of id_token

id_token
access_token
spa

#1

Hi, I was looking at this relatively old example https://github.com/auth0-blog/redux-auth/tree/auth0-lock . Here, SPA makes a request to the our own server by using the id_token.

What confuses me is that in the new docs it says ID tokens should never be used as API tokens like in here https://auth0.com/docs/api-auth/tutorials/adoption/api-tokens . It also says id_token s are now just improvements which can help us avoid getting user’s profile info.

So, I have an API and a SPA. From my SPA, I will access my API. To do that I will create an API in Auth0 and a client for my SPA. SPA will use access_token which has the scopes defined in the token. My API gets the access token. After I validated the token, I get user_id, but to avoid going in to the DB to get user’s customer info and role (such as USER, CUSTOMER_ADMIN) I don’t want to go to my DB. I know these can be populated to id_token’s but is it possible to add these to access_tokens? Is it the recommended approach?

Another question for me is that on a regular SPA, during the first authorization, why do users need to allow the application to access the details? My SPA app is already a trusted app and I think my users should not see/care about this. They just should signup and the grant automatically should be given to them. Basically, my web app should be able to access my API if they signup. I should not need their permission here. Am I wrong?

Thanks.


#2

https://community.auth0.com/questions/1407/what-is-the-right-setup-for-lock-spa-native-rest-a this question & answer has been very helpful. I think it would be good to provide links to the new examples in the old examples.


#3

See my answer to a similar question here.

As for the consent screen, you can enable the Allow Skipping User Consentsetting in the API dashboard, which will skip the consent screen for First Party clients (all clients created in Auth0 are First Party by default).


#4