Hi, I was looking at this relatively old example GitHub - auth0-blog/redux-auth at auth0-lock . Here, SPA makes a request to the our own server by using the id_token.
What confuses me is that in the new docs it says ID tokens should never be used as API tokens
like in here Access Tokens . It also says id_token s are now just improvements which can help us avoid getting user’s profile info.
So, I have an API and a SPA. From my SPA, I will access my API. To do that I will create an API in Auth0 and a client for my SPA. SPA will use access_token which has the scopes defined in the token. My API gets the access token. After I validated the token, I get user_id, but to avoid going in to the DB to get user’s customer info and role (such as USER, CUSTOMER_ADMIN) I don’t want to go to my DB. I know these can be populated to id_token’s but is it possible to add these to access_tokens? Is it the recommended approach?
Another question for me is that on a regular SPA, during the first authorization, why do users need to allow the application to access the details? My SPA app is already a trusted app and I think my users should not see/care about this. They just should signup and the grant automatically should be given to them. Basically, my web app should be able to access my API if they signup. I should not need their permission here. Am I wrong?
Thanks.