In this post, I’ll try to cover how the process of authentication will look like in Appwish platform. Appwish is made of frontend UI written in Rea...
For further actions, you may consider blocking this person and/or reporting abuse
Hi Patryk, first of all I rly like your article. It is pretty short and explanatory.
I still have a question which we have on our project as well.
As I understand the ID Token is emmited to the audienc which is oftend the client_id of the reqeusting client (in your case SPA). Is it then correct that your backend (apwish) will receive and read the token which was emitted for differend party?
Should not it be rather that your app would request accesstoken (via code flow) and authorize the user on the backend which will then on behalf of the user request his ID token from OP?
This debate was started after reading auth0's doc:
Thanks for the interesting writeup. One note: you mentioned would follow the new OAuth guidelines, which is great! However, I think you use the code grant type with PKCE and not PKCE alone.
You're welcome:) Good catch, you're right. It's the default when you use Auth0's client lib for SPAs.
great explanation, thanks!
Thanks, you're welcome!