AuthGuard on paths redirects to the base url app

I have an issue, using AuthGuard on routes. After successful login, when I try to navigate to the path protected with AuthGuard, it redirects me to the root url, like for example: http://localhost:7200.

I have noticed, when I try to access the AuthGuard route, on Network I see a request with name token and status code 401 Unauthorized.

Please have in mind that am using a Regular Web Application service on my auth0 account for this angular project and I have provided the correct clientId as long as the domain.

I have initialized the auth0-angular like below:

Inside app.module I added:

AuthModule.forRoot({ domain: [domain], clientId: '[clientId]', authorizationParams: { redirect_uri:${window.location.origin}, }, }),

On app-routing.module.ts

` import { DashboardComponent } from ‘./modules/dashboard/dashboard.component’;
import { AuthGuard } from ‘@auth0/auth0-angular’;

const routes: Routes = [

  {
    path: 'dashboard',
    component:DashboardComponent,
    canActivate: [AuthGuard],
  },
];

@NgModule({
  imports: [RouterModule.forRoot(routes)],
  exports: [RouterModule],
})
export class AppRoutingModule {}`

Reproduction

Step 1: Iinitialize a Regular Web Application On auth0.com

Step 2: Copy the code above

Step 3: And test it

Additional context

No response

auth0-angular version

2.2.1

Angular version

16.2.9

Which browsers have you tested in?

Chrome

Hello Chris and welcome to the Auth0 Community!

What’s the behavior you’re expecting to see? Also, is there any particular reason you’re using a regular web application instead of a SPA app?

Hello @mraible,

The reason am usign Regular Web App is because I want to use the service for backend in order to secure API endpoints.

I have managed to resolve the issue by changing the Authentication Method under Credentials from Client Secret (POST) to None, however am not sure how secure is that. Also, why there is a clientSecret token since in the auth0-angular library the clientSecret is not referenced anywhere ?

I don’t think you should use a regular web app for your Angular app. Using a SPA app is the recommended approach. If you want to make your backend app into a resource server that your frontend app can talk to, you can still use the same issuer, with no client ID or secret. The JWT validation will be done using the JWKS from your issuer.

I agree that a SPA app shouldn’t have a client ID in the Auth0 Dashboard.

How I will restrict access on my API endpoind if i use SPA ? Am using ASP .Net Core for backend API, and I want to put Auth Guard on my Endpoints, and to decode the token with related information like user and role etc

@mraible Any answer regarding auth token to be used for a backend system ?