Friday, 20 January 2017

OpenID code grant using IDP (with Auth0)

Hey /r/node,I'm currently learning about OAuth and OpenID and I had one question regarding the id_token (JWT containing the user claims).I'm using Auth0 with an external identity provider (IDP) using SAML.I have my backend server with a /login route. This redirects the user to the auth0 /authorize endpoint, which in turn redirects to the IDP's login page.User logs in and is redirected back to my backend route; /login/check with the code in the querystring. Pretty straight forward so far. The backend then calls the auth0 /token endpoint to retrieve the access and id tokens.This is where my question arises... Should I return the id_token back to the user at this point or should it be kept on the backend? I've spotted some comments here and there saying the token is safer stored on the backend, but this doesn't make sense to me.My backend at this point has access to the secret (trusted) so it has no real need for the token and instead needs to verify the users authentication. If I return the id_token to the user then happy days, they have a token that I can verify and all is well.This id_token can't be used to access the IDP directly, only really allows access to my own application.What would be the alternative to returning the id_token here? And is my implementation above odd or pretty standard when it comes to using IDPs in Auth0?

Submitted January 20, 2017 at 12:23PM by mitchjmiller

No comments:

Post a Comment