Mobile app token, Prerequisites
For simplicity reasons we will keep our implementation solely focused on the authentication and authorization part. As you will see in the samples the input timesheet entry will be hard-coded and the API will not persist the timesheet entry, simply echo back some of the info.
References and Further Reading
What is an API endpoint? In order to interact with this object you need to point your application towards that URL.
For this implementation we will mobile app token define two endpoints; one for retrieving a list of all timesheets for an employee, and another which will allow an employee to create a new timesheet entry.
See the implementation in Node.
This mobile app token of a series of steps, and if any of these fails then the request must be rejected with a Missing or invalid token error message to the calling app. Part of the validation process is to also check the Client permissions scopesbut we will address this separately in the next paragraph of this document.
The last step is to verify that the client has the permissions required to access the protected resources.
This claim is part of the payload and it is a space-separated list of strings. For retrieving the list of timesheets this is to ensure that we only return the timesheets belonging to the user making the request, and for adding a new timesheet this is to ensure that the timesheet is associated with the user making the request.
One of the standard JWT claims is the sub claim which identifies the principal that is the subject to the claim. In the case of the Implicit Grant flow this claim will contain the user's identity, which will be the unique identifier for the Auth0 user.
In this article, we introduce the role that access tokens play in mobile banking applications and provide recommendations on how to secure these access tokens. We will also explain why such security measures are important. What is an Access Token? Access tokens are largely used in the context of mobile banking, to connect between the application and third-party APIs and, as such, they must be treated as a critical security parameter. Web applications usually require authentication from the user.
You can use this to associate any information in external systems with a particular user. You can also use a custom claim to add another attribute of the user - such as their email address - to the Access Token and use that to uniquely identify the user.