Skip to main content

Mobile Backend authentication

Context

It is needed to find a way to replace the current login flow and authenticate calls to Mobile Backend using Auth0 authentication.

Proposals: New Mobile Backend authentication

Decision

Old Approach

We have decided that we want to get rid of old JWT, fully trust in Auth0 authentication and also have a new mutation in order to handle new users creation and data migration to Auth0 in a separated step and not include it in injetUserToContext process.

It was decided to take Option 2: Send Auth0 access token in request authorization header and create new endpoint to create/update users

Diagram

Notes

  • It is needed to deprecate or delete login mutation function and verify token against Auth0 instead.
  • It is needed to deprecate or delete verifyJWT function and verify token against Auth0 instead.
  • ensureValidToken needs to be modified to validate Auth0 token.

Consequences and limitations

  1. It will require Mobile App users to log in again into the App after Auth release is launched.

Blocking issues

  1. As Auth0 access_token is generated before createOrUpdateUser mutation, and mobile_id is set up by createOrUpdateUser. mobile_id is not available in the issued access_token or IdToken.
  2. Auth0 Authentication API has a low rate limit for the required calls from mobile app.

New Approach

After some blocking issues on old approach and new requirements, it was needed to sightly change it.

We can't get rid of old JWT as there is no way to notify/force users in old versions of the app to update it. It will be needed to keep both authentication tokens working, old JWT and new Auth0 JWT tokens.

It is still needed a new mutation in order to handle new users creation and data migration to Auth0.

Auth0 will trigger the migration of mobile app users data from rccAppUserMigration action on Post Login Flow, and setCustomClaims action will be in charge of setting mobile_id on access_token custom claims. Mobile Backend data migration to Auth0

Diagram

New create or update mutation

This new mutation will get Hybris customer data, check his RCC membership and create or update the customer in Mobile Backend database and return user's mobile id.

This mutation should only allow requests with Auth0 Actions client access token.

Auth0 will call createOrUpdateUser from rccAppUserMigration action on Post Login Flow in order to create or update the user in the mobile backend, retrieve the mobile_id and save it in user's metadata.

Inject user to context

injetUserToContext needs to be modified to validate both old JWT and Auth0 access token.

If the call is performed with Auth0 access token it needs to read user's mobile_id from it.

Resources