We are trying to understand the best ( cleanest, simplest ) way forward using Auth0 with an Angular 2 front end and a Spring Back end .
What we want to do is
- Have a user login to the Angular2 front end.
- Use the credentials of the successfully logged in user to call secured rest end points ( based on a users role ) on the spring server.
Do we need to have a separate Auth0 client for both the front and back end applications ?
If so does this mean that we will need to authenticate the user twice ?
Or is it possible to set up one Auth0 client which both the Angular and Spring applications use ?
If so does this mean that we can pass the JWT from the Angular login to the Spring server ?
Based on the information you provided the most suitable configuration for a situation where you have a SPA (Angular) and an API (Spring) would be:
- register/create a client application in Auth0 to model the SPA; see Clients section in the Dashboard.
- register/create an API (aka resource server) in Auth0 to model the API; see the APIs section in the Dashboard.
With this setup, the client application can request end-user authentication and at the same time request authorization to access the API on behalf of the end-user. In general, this means that the client application would receive an ID token that represents the end-user that authenticated and also an access token that could be used to call the API on behalf of that end-user.
For reference information and sample code see:
thanks for the advice, we are looking into this now.
re https://auth0.com/docs/api-auth/grant/implicit
Auth0 authenticates the user. The first time the user goes through this flow a consent page will be shown where the permissions, that will be given to the Client, are listed (for example: post messages, list contacts, and so forth).
Does this mean that each user ( end user ) will be prompted with a consent page ?
The issue being that a end user would not understand what the permissions were for .
This doesn’t feel like a good user experience.
thanks for the advice, we are looking into this now.
re https://auth0.com/docs/api-auth/grant/implicit
Auth0 authenticates the user. The first time the user goes through this flow a consent page will be shown where the permissions, that will be given to the Client, are listed (for example: post messages, list contacts, and so forth).
Does this mean that each user ( end user ) will be prompted with a consent page ?
The issue being that a end user would not understand what the permissions were for .
This doesn’t feel like a good user experience.
You can configure the API you configured in Auth0 to Allow Skipping User Consent; this way the consent screen will not be displayed for first-party clients. Have in mind that the setting above may be ignored (and consent always shown) if you’re using redirect URI’s based on localhost.
1 Like