I have a Node.js API (koa) and a single-page app client (Vue.js). I’d like the SPA to have a login button that shows the Lock modal/form and lets users sign up/in using username-passwords. Once signed in successfully, they’ll be able to access the restricted endpoints of my API. I’m pretty sure I’m almost there, but it seems like the “auth0 client” I’ve setup doesn’t know how to talk to the “auth0 api” I’ve setup.
I setup an “API” in Auth0, then wired my koa app to use koa-jwt and node-jwks-rsa - it now works with one of the example payloads in Auth0’s API “test” section. I also setup a “Client” in Auth0, then got the Lock modal to show and I log the result to console. But what gets logged is an access_token that’s very short (like 26 chars) and very different from the payload from the API’s “test” section.
It seems if I play with the “audience” property on the client, it does seem to generate an access_token that works, but (a) it prompts the user to “authorize” their account to work with the API (similar to OAuth, but I can’t imagine why it would do that in this scenario), and (b) setting the “audience” property in Lock is undocumented and I’m not sure it’s supported.
I’ve been struggling for several hours now trying to figure out how to do this, and I keep feeling like I’m missing something obvious, because I assume this is what most people use Auth0 for?