auth0 authentication for react-native-ios that communicates with php server

Question

I am creating an react-native-ios app that communicates with a php web app hosted on azure.

How I understand it works:

1. The user signs up to the app, the server communicates with auth0 server which then returns a JWT token to the php server, saves the token to the database and then sends the token back to the client-device where it is then stored on device.
2. The user must send the JWT token as a header whenever communicating with the server.
3. Whenever the user logs out the token is deleted and when signing in, a new JWT must be received.

The user can sign in via using credentials that match what is on the database or sign-in with Google or facebook.

Or is Auth0 just for signing-in with enterprises such as Google or can I use it to sign in to my app also that has login credentials on the database?

I have found the npm react-native-lock-ios but it doesn't work the way I described above.

In summary, How should I go about this and is what I have explained above correct?

Answer 1

The main problem here is that you did not understand how to work with JWTs. I would advise you to take a deeper look on how this technology works and how Auth0 can help you. But, in summary, this is the workflow for authentication that you must aim:

1. Your user will choose one of the many identity providers supported by Auth0(e.g. Facebook, Twitter, LinkedIn, SAML, WS Federate and so on).
2. Your react native app will communicate directly to Auth0 API through the react native lock.
3. Auth0 will interface with the chosen provider and redirect the user to an authorization page in this provider (case it is needed and it is the first time the user logs in).
4. Auth0 will generate a JWT and send back to your react native app.
5. Your react native app will send this JWT to the server (usually on the Authorization HTTP header) when issuing requests to your endpoints.
6. Your PHP backend will check if this JWT is really valid. This is can be done with Auth0 PHP SDK.
7. In case the JWT sent has not been tampered (changed irregularly), your backend will accept it as the user identifier and respond the request as expected by your react native app.

As you can see the biggest issue in the approach that you thought you would follow is that the login process does not go through your backend server. It happens on your front-end app (react native) communicating with Auth0 and the identity provider chosen.

JWTs are tokens that hold information (claims) about a subject. These tokens can be validated by anyone that possess a key (public or private). That is, having this key you can validate the token and can rest assured that it has not been changed improperly.

Further more, to answer the question regarding the usage of Auth0 with credentials on your database, you can bet that you can use it. Auth0 provides ways to integrate with your own database to check the existence of a user. This is called a customer user store.

Happy studying.