Angular 2 SPA and Spring Service Layer

We are trying to understand the best ( cleanest, simplest ) way forward using Auth0 with an Angular 2 front end and a Spring Back end .

What we want to do is

  1. Have a user login to the Angular2 front end.
  2. Use the credentials of the successfully logged in user to call secured rest end points ( based on a users role ) on the spring server.

Do we need to have a separate Auth0 client for both the front and back end applications ?

If so does this mean that we will need to authenticate the user twice ?

Or is it possible to set up one Auth0 client which both the Angular and Spring applications use ?

If so does this mean that we can pass the JWT from the Angular login to the Spring server ?

Based on the information you provided the most suitable configuration for a situation where you have a SPA (Angular) and an API (Spring) would be:

  • register/create a client application in Auth0 to model the SPA; see Clients section in the Dashboard.
  • register/create an API (aka resource server) in Auth0 to model the API; see the APIs section in the Dashboard.

With this setup, the client application can request end-user authentication and at the same time request authorization to access the API on behalf of the end-user. In general, this means that the client application would receive an ID token that represents the end-user that authenticated and also an access token that could be used to call the API on behalf of that end-user.

For reference information and sample code see:

thanks for the advice, we are looking into this now.

re https://auth0.com/docs/api-auth/grant/implicit

Auth0 authenticates the user. The first time the user goes through this flow a consent page will be shown where the permissions, that will be given to the Client, are listed (for example: post messages, list contacts, and so forth).

Does this mean that each user ( end user ) will be prompted with a consent page ?
The issue being that a end user would not understand what the permissions were for .
This doesn’t feel like a good user experience.

thanks for the advice, we are looking into this now.

re https://auth0.com/docs/api-auth/grant/implicit

Auth0 authenticates the user. The first time the user goes through this flow a consent page will be shown where the permissions, that will be given to the Client, are listed (for example: post messages, list contacts, and so forth).

Does this mean that each user ( end user ) will be prompted with a consent page ?
The issue being that a end user would not understand what the permissions were for .
This doesn’t feel like a good user experience.

You can configure the API you configured in Auth0 to Allow Skipping User Consent; this way the consent screen will not be displayed for first-party clients. Have in mind that the setting above may be ignored (and consent always shown) if you’re using redirect URI’s based on localhost.

1 Like