I am aware that both opaque and JWT-based access tokens are supported but I am trying get a sense of your best practice recommendations (eg. if one was to start an SPA+API app tomorrow).
From https://auth0.com/docs/tokens, it says:
In your applications, treat access tokens as opaque strings since they are meant for APIs. Your application should not attempt to decode them or expect to receive tokens in a particular format.
- When it says “applications” is it referring to the JS SPA application only (ie. not the Rails API part of the stack)? For surely the Rails API necessarily must attempt to decode them (assuming they are JWTs in this case)?
- Or is this line saying that the best practice is that the JS SPA application should send opaque access tokens (instead of JWT access tokens) to the Rails API?
Access tokens must never be used for authentication. Access tokens cannot tell if the user has authenticated.
- Surely, again, this can only refer to the JS SPA application. As the main point of the access token (certainly if it is a JWT) is to tell the Rails API that the user is authenticated (one has to be authenticated before one can be authorized, correct?). Though, strictly speaking, the ID token models the user (and is what is the JS application uses to “log in” the user), it is reasonable to say that the access token is a representation of what resources in the API that user can access from the Rails API, correct?
- The big question is - once the Rails API receives a JWT-based access token (and validates the access token and, optionally, calls a user info endpoint) is there anything else it needs to do before it begins to use information in that access token? To me, the wording in the docs above is ambiguous/confusing in this regard.
The last two questions that all this raises overall are:
- So is there a best practice, from Auth0’s perspective, with respect to whether an access token should be a JWT or an opaque string?
- If the best practice is to use an opaque string then is there a reason that the Rails API example repo (linked from the Rails API quickstart guide ) uses a JWT instead of an opaque string as an access token?
Lots of questions for a Friday evening Hopefully, I have explained them clearly.
Have a good weekend,
P.S. I did read this - Why is my access token not a JWT? (Opaque Token) - Auth0 Community post, which is very good (and explains how to switch between the opaque style and the JWT style of access token), though it doesn’t answer my above questions.