Hey,
I’m trying to set up the following architecture:
React-Native mobile client
React web client
Express server for API calls
The users will be able to log-in on either or both of the clients, and both clients need to be able to access the server APIs after being authenticated.
I’m struggling with mainly 2 questions:
how many Auth0 applications/APIs do I need here? one for each client&server? do I need to create APIs for this?
how should the clients get the tokens for making the authenticated API requests? is it a token that the clients get when the user logs in, or do the clients need to make some new requests to Auth0 to generate a token for the API requests?
It sounds like you will need to register 3 applications in Auth0 (1 Native, 1 SPA, and 1 Web) as well as 1 registered API.
That’s correct - Upon successful authentication/authorization users will typically receive an ID token and Access token. The ID token contains information about the user (authenticated) and the Access token will contain scopes, roles, permissions etc. and is validated by your backend/API.
The following architecture scenario docs may be a good place to start in order to get a general overview of what this may look like:
I also definitely recommend exploring our sample apps and quickstarts as there are basic examples of all technologies you are working with.
Let us know if you have any follow up questions, but it sounds like you are on the right track!
Thanks for the quick and details response @tyf,
The applications and the API make total sense, what I’m still not sure about tho is upon successful authentication/authorization on the clients (web or mobile), will I get the Access token as a response to the authorization call (and will be able to use it to authenticate the API call to the server), or will I have to call another Auth0 API (like ‘/oauth’) to get this Access token for the API calls?
That’s exactly correct! Upon successful authentication/authorization a user will receive ID/Access tokens for which the Access token is to be used against your API. This doc provides a good outline of the different flows - In particular I recommend checking out the PKCE flow as it will most likely be used for both a SPA and mobile (native) app:
