Help me understand OAuth2/Ueberauth

So I am building an application that requires single-sign-on. It is split into a frontend-app and a backend-app where the backend is implemented in Elixir/Phoenix. I have found a lot of examples going through this flow but they all assume an Elixir/Phoenix project with a frontend containing view-templates etc. My backend will only serve JSON responses.

  1. Is Ueberauth still the right choice in this case?

  2. Should SSO authentication be in the backend?

Once authenticated using Ueberauth and using an identity provider like Google I receive a token with a lot of information from them. Based on this I can lookup/create a user in my own database. Now:

  1. Do I pass this token I got from the provider back to the frontend? Or do I create a new (JWT) token with info relevant to my application/authentication using Guardian? Google-token has an expiry date of 1 hour, whereas I could control this on my own without being dependent on a provider. However, then I have only used Ueberauth for the lookup/creation of a user. Security is still relying on implementing JWT authentication correctly. Is this correct?

I appreciate any help. I have been reading many articles about it but I don’t get the full flow.

I am not sure how this would work with an API as You have some redirection when the response comes back.

Also I would consider using Phoenix.Token instead of JWT, they are lighter, and would not return the provider token to frontend.