Yes, that is correct. Ideally, for the most secure setup, you should use the authorization code grant flow - which would involve your backend gaining access to Okta / Auth0 rather than your frontend. But yes, many people use the default setup which involves their own frontend having access to the user's info on the IdP. The default setup may also involve using localstorage with Auth0 (which we do not recommend - as do many other bodies such as OWASP and NIST).
Glad you liked our articles!
> In terms of implementing user management:
We provide the ability the following user management functions: - Loop through all users - Ban / unban via session revocation - Adding / modifying user roles to session and fetching them in a backend API (post session verification) and frontend
What we don't have: - A UI to manually see / edit the info mentioned above - Delete user functionality (we plan to add this)
So if you can do without the things we don't have, then it shouldn't take much time for you.
Feel free to join our Discord at supertokens.io/discord if you like!
