Based on the documentation, after successful authentication on Auth0, request gets redirected to Liferay callback URI with an auth token. My question is, how does Liferay determine that ‘auth token‘ is for a successfully authenticated user? can someone generate an ‘auth token’ on the fly to spoof a user?
The reason I’m asking that question is because I wanted to find out, if my Liferay App need additional call to Auth0 with this ‘auth token’ to ensure it is valid?
My assumption is that an additional payload (e.g. parameters, json, xml etc) will be part of the redirection, and very likely cryptographically signed.
Thanks. I read more about this, and it sems what you mentioned is going to be the case. I am going to run the Integration and will check it out.
Thanks. Reading "3.1.1. Authorization Code Flow Steps" section, and seems an auth code will be part of the URI.. that later gets exchanged for an access/Id token..
Thanks. I read more about this, and it sems what you mentioned is going to be the case. I am going to run the Integration and will check it out.
– flashyjen