Quick question,
With the new third-party authentication support, is it recommended to give third-party applications access directly to your database at https://graphql.fauna.com/graphql? For instance, if you setup dynamic client registration in Auth0, a user could create an application and use oauth flow to authenticate users and get a jwt. Then that application would be able to query the database directly and this would avoid needing a custom api. Is there a downside to this approach?
The downside would be similar as other forum posts that talk about accessing fauna directly from the frontend.
However, how your tokens are stored could be hidden in your Auth0 library in this case. So it essentially boils down to figuring out how Auth0 stores authentication information in the browser and determine whether you are ok with that. I can’t say for sure how that happens, but as far as I know it’s technically impossible to use httpOnly cookies. There are some questions on the Auth0 forum about that though:
I think they store something short-lived in memory and then use silent authentication to refresh it based on a (non httpOnly) cookie, but I’m not certain exactly how that happens.