You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to understand best practice for a use case where we are calling a downstream API server as the end user. In some of the common API Management solutions they all come equipped with the ability to validate a JWT against an upstream authorization server.
Best is to call the downstream API with a machine to machine token and pass in the userid as a parameter into the API?
Pass a user specific token to the downstream API using a shared signing key?
Pass a user specific token to the downstream API using a public/private setup and enable next-auth with an endpoint to read the public key to validate the token against? (pretty sure this isn't possible)
If the provider used was an openid provider then pass then store the identity token into the next-auth session, and proxy the request through a next.js API route to add the openid token, and have the API management solution validate the identity token against the openid provider's well-known endpoint?
Whats commonly done here? What do you think best practice is?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi Everyone,
I'm trying to understand best practice for a use case where we are calling a downstream API server as the end user. In some of the common API Management solutions they all come equipped with the ability to validate a JWT against an upstream authorization server.
Whats commonly done here? What do you think best practice is?
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions