Auth0.com, how does it really work?

Question

I would like to ask, who generates JTW tokens when user has logged himself? If user has logged on via facebook, it means that facebook ganerates token? What role does Auth0.com play? Thanks

Answer 1

I'm going to guess that you are using Auth0 for authentication, but that you have configured Auth0 so that users can log in with other authentication providers (e.g. Facebook). In that case its always Auth0 that generates the tokens that you receive from Auth0 - this is so that the method through which you validate the tokens is always the same (use the Auth0 public key) regardless of how they authenticated the user.

However, its up to Auth0 to authenticate the user - totally legitimate ways of doing this include:

1. Username + password
2. One time password
3. Using another open-id provider (e.g. Facebook)

And in case #3 the process recursively starts again, instead this time Auth0 takes the role of the client app and Facebook is generating the JWT. Auth0 validates the token generated by Facebook, and then uses that as proof that the logged in user is who they say they are, and that its safe to issue its own JWT to your app.