Why I wont use Auth0

Hello, sorry about the rant to come, but I hope you will improve your documentation with my feedback. To recap, here is what i want(ed) to do:
To use auth0 in order to replace my sessions and benefit from a (free !) user login, that seemed awesome. I already have a react app and I just wanted to auth our users in order to use our AP, pretty straightforward.

Here is what happened next:
I followed the tutorial:

And this didn’t work because of that issue
I only got 401 errors after login

I did the double switch and it worked ! (Even though I had sameSite warnings in the console, I decided to ignore it at that time) Nice, so now I can continue my work, I added the getAccessTokenSilently (forgot to add the audience) and started working on the API side of things.

API side:

Following this tutorial I add my middleware, and start testing it.
First issue: with the

audience: 'YOUR_API_IDENTIFIER',

part of it. I have no idea what this refer to. Is it my client ID ? There is not reference of it in the application dashboard. In doubt I used the client ID.
Second issue: when I tested my API I now have a jwt malformed error return by the server. The code is 401 wich is good, the error is the whole stack trace (not good).
So I dig deeper and try to add the audience to my frontend app and to the backend. All I managed to get is Error: Service not found: XXX. I see a lot of questions related to it:

• Understanding how the "audience" concept actually works
• Audience: "YOUR_API_IDENTIFIER"
• Bad Audience when using a custom API - #11 by shlomiken
• Why is it necessary to pass the 'audience' parameter to receive a JWT?

So far I still don’t quite understand about what this audience thing is about, I can’t find an up to date documentation about it. And thats with my dev account that has the same frontend as the examples. The production one is completely different, I don’t know why, I didn’t find a way to change it.

In the end:
I’ll remove the redis session and use jwt by myself like I have always done. I’ve already spend too much time trying to get how your product works and I just scratched the surface of what I want to do. I can’t imagine the trouble I might get into when I’ll try to send reset password links. I think I am missing something great by not using auth0 but the feeling I have after spending a few hours using your service doesn’t give me any confidence that things will work well in the future.

I hope my feedback is clear and will allow you to improve the documentation, that is the only issue I have with your service, however, as a developper oriented product, that may be the most important thing for me.

Bests,

Hi @Dev29,

Welcome to the Community!

Sorry to hear your frustrations, and we appreciate you taking the time to detail the struggles you had getting your Auth0 implementation set up.

Hopefully I can help to address some of these concerns:

Sorry for this one, it’s a bug in the UI that should be fixed soon. This one is very frustrating, I understand. We are working on it (it is hopefully fixed by the time you read this).

It looks like a significant amount of the confusion is around the audience param.

In short, audience is who is consuming the access token. It is typically a backend API, or management API. This needs to be registered with Auth0, so the auth server can add it to the token.

It looks like you may have miss the Call an API section of the first tutorial you linked. In this section it explains and links to how to register your API and set a value for the identifier/audience.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.