Hello, sorry about the rant to come, but I hope you will improve your documentation with my feedback. To recap, here is what i want(ed) to do:
To use auth0 in order to replace my sessions and benefit from a (free !) user login, that seemed awesome. I already have a react app and I just wanted to auth our users in order to use our AP, pretty straightforward.
Here is what happened next:
I followed the tutorial:
And this didn’t work because of that issue
I only got 401 errors after login
I did the double switch and it worked ! (Even though I had sameSite warnings in the console, I decided to ignore it at that time) Nice, so now I can continue my work, I added the getAccessTokenSilently (forgot to add the audience) and started working on the API side of things.
API side:
Following this tutorial I add my middleware, and start testing it.
First issue: with the
audience: 'YOUR_API_IDENTIFIER',
part of it. I have no idea what this refer to. Is it my client ID ? There is not reference of it in the application dashboard. In doubt I used the client ID.
Second issue: when I tested my API I now have a jwt malformed error return by the server. The code is 401 wich is good, the error is the whole stack trace (not good).
So I dig deeper and try to add the audience to my frontend app and to the backend. All I managed to get is Error: Service not found: XXX. I see a lot of questions related to it:
- Understanding how the "audience" concept actually works
- Audience: "YOUR_API_IDENTIFIER"
- Bad Audience when using a custom API - #11 by shlomiken
- Why is it necessary to pass the 'audience' parameter to receive a JWT?
So far I still don’t quite understand about what this audience thing is about, I can’t find an up to date documentation about it. And thats with my dev account that has the same frontend as the examples. The production one is completely different, I don’t know why, I didn’t find a way to change it.
In the end:
I’ll remove the redis session and use jwt by myself like I have always done. I’ve already spend too much time trying to get how your product works and I just scratched the surface of what I want to do. I can’t imagine the trouble I might get into when I’ll try to send reset password links. I think I am missing something great by not using auth0 but the feeling I have after spending a few hours using your service doesn’t give me any confidence that things will work well in the future.
I hope my feedback is clear and will allow you to improve the documentation, that is the only issue I have with your service, however, as a developper oriented product, that may be the most important thing for me.
Bests,