What do I do with an access token?

I have a react webapp, which I’m using to service my frontend, and another Java API Backend.

I’m currently using @auth0/nextjs-auth0 to get user information from Auth0, which is working well.
The access_token is being stored in the user session, and I can use it in the Bearer header to call my API.

But I’m not sure what the Java backend is supposed to do with the token!

Do I make a call to Auth0 to confirm if this token is valid?
Do I call GetUserInfo?
Do I use the Management API Access Token?

Not quite sure how to proceed at this point.
Please advise.

I’ve implemented this approach using the JWT for bearer auth in a .NET backend. Not sure how it’s done in Java but in my startup file I enable bearer authentication using the IAppBuilder interface so I can use the UseJwtBearerAuthentication extension. It’s here I configure the allowed audiences and issuers etc.

I validate the JWT on each request using Owin either by overriding the OnActionExecuting or within a custom authentication attribute. I can then get the claims from the JWT from the user principal such as the users email, userId and any custom claims added from a rule. I use the userId to do a DB lookup for the user so I can add my own claims for the remaining request.

I also use the ManagementApi using the .NET SDK for creating/updating users, changing pws etc

Take a look at the docs and see if there is a Java code example.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.