I have a react webapp, which I’m using to service my frontend, and another Java API Backend.
I’m currently using @auth0/nextjs-auth0 to get user information from Auth0, which is working well.
The access_token is being stored in the user session, and I can use it in the Bearer header to call my API.
But I’m not sure what the Java backend is supposed to do with the token!
Do I make a call to Auth0 to confirm if this token is valid?
Do I call GetUserInfo?
Do I use the Management API Access Token?
Not quite sure how to proceed at this point.
Please advise.
I’ve implemented this approach using the JWT for bearer auth in a .NET backend. Not sure how it’s done in Java but in my startup file I enable bearer authentication using the IAppBuilder interface so I can use the UseJwtBearerAuthentication extension. It’s here I configure the allowed audiences and issuers etc.
I validate the JWT on each request using Owin either by overriding the OnActionExecuting or within a custom authentication attribute. I can then get the claims from the JWT from the user principal such as the users email, userId and any custom claims added from a rule. I use the userId to do a DB lookup for the user so I can add my own claims for the remaining request.
I also use the ManagementApi using the .NET SDK for creating/updating users, changing pws etc
Take a look at the docs and see if there is a Java code example.