I’m building an application which uses a Spring Boot back end and a Vue SPA front end. Due to some lack of clarity in the documentation, I’m currently using the implicit flow (could use some clarity on what flow/quickstart should have been used in this case as well), which means my SPA retrieves the JWT auth token from Auth0 and sends it to my back end in the Authorization header. My Spring Boot back end then uses a JWT library to handle the token, authenticate it, and allow or deny the request.
This mostly works, although I’ve been forced to do some roundabout nonsense in the Vue front end to ensure the auth token is available before I make any calls, since on page refresh it goes out and retrieves a new token, which takes some time. The real problem is that my back end needs to be able to serve up binary data into HTML via <img> tags. When these requests occur they cannot, of course, attach the auth token header. Note that these are not static assets residing in either the front end or the back end. The back end is acting as a proxy for images located elsewhere that need to be displayed on the page, and they are highly dynamic and specific to the user in question.
I’ve dug around the documentation for a while and it’s still not clear to me how this problem should be approached. It seems likely that I need cookie or query parameter authentication, but I can’t find anything in Auth0’s documentation that would point me in the right direction to implement either in my situation. Any suggestions?