Hi there,
I have the following use-case: I have a Nuxt website where my users should log in to via Auth0 OAuth. I want to use their Access Token to communicate with an API which is hosted on a different domain. However, if I use the application type “Single Page Application” in Auth0 I only get an opaque access token for the user, but when making requests to my API I’d love to validate the access token without having to query auth0’s userinfo endpoint all the time.
So my questions are:
- Do I have to use a “Machine to Machine” application instead of a “Single Page Application” in Auth0 for this use case?
- Would it be totally fine to use a “Single Page Application” and query the userinfo endpoint for every request or maybe I could cache auth0’s response for a few minutes per opaque token?
- What other methods would I have to authenticate a user with my API, if not with the opaque access token?
Thank you very much for your time in advance.
Edit: So I found out, that I can get a non-opaque JWT when specifying the audience int he authorization request. So far so good, but I don’t get a refresh token anymore? How could I refresh the access token without a refresh token?
1 post - 1 participant
