Quick summary of the architecture:
A react application with universal login using react-auth0 sdk.
Once the user logs in to the react app, I get jwt token from auth0 and set it as a cookie to be used by another nodejs application which uses this cookie for authentication.
if the jwt signature is valid (checked using Auth0 jkws endpoint) only then the nodejs application is available/authenticated.
- Is this a right approach? Right now I’m not using refresh tokens so if someone gets hold of the jwt token they can launch the nodejs application without being authenticated. How can I put expiry on the jwt token that I’m manually set and refresh it based on the parent app(if logged in)?
- I see that auth0 after logging in sets a cookie called jwt. Is it possible to use the same token in the iframe instead of setting the jwt cookie manually? jwt cookie set by auth0 is set at subdomain level and I want to access it in another subdomain with the same domain name. for example: auth0 sets jwt at xxx.yyy.com and I want to access that token at zzz.yyy.com. Can auth0 set the jwt token at .yyy.com level instead of me having to do this manually and setting a new cookie with domain .yyy.com?
I hope I’m able to explain myself. I’m new to this and this is a complicated system.