Using only ID Token, with own roles/permissions database


I’m trying to integrate Auth0 to our existing setup.
I’m repeatedly reading that I should only use the Access token to access my api’s, and not the Id Token.

However, I’m not planning on adding my api’s to Auth0 with scopes and permissions, as we are managing roles and permissions in our own database for users.

Can’t I do this? :

  1. Usual authentication flow with Auth0, ID Token is returned
  2. ID Token is stored
  3. The ID token is used to identify the user in our database, and with each request to our api, the ID token identifies the user in our database and returns the permissions and roles to check from our database

Hi @moticom

It sounds to me like you DO need an access token.

Using the ID token to identify your user and pull out roles and permissions is appropriate.

However, when you call an API, you need to ensure that the user is authorized for that API (this is a simple yes/no, not involving roles/permissions). This is done via the access token. Each API has its own audience, and a user can call some APIs but not others.


In my Api’s the functions in the api are working based on roles, so in this case can I just use the id token to return the role and that’s it? Because all of my api’s can be accessed by all users, what’s returned/processed is based on the role.