I’m adding Auth0 to an existing Angular 13 web app, and I have certain API calls in my app that need to know the user’s email for authorization purposes. Including the email address in the body can be altered/faked, allowing someone to see data they shouldn’t, so I wanted to include the auth token and use that to fetch the user data (including email).
I’ve been following what I see online for AuthHttpInterceptor, but the headers just aren’t getting added. I suspect my configuration is incorrect because I don’t have just one API? We have a company-wide identity provider used by multiple websites/webapps that’s handling authentication, then another API used only by this app, which is what needs the token to extract user details.
In the providers in my app.module.ts I have this.
provideAuth0({
domain: env.DIP_DOMAIN,
clientId: env.DIP_CLIENT_ID,
authorizationParams: {
redirect_uri: window.location.origin,
},
errorPath: 'loginerror',
httpInterceptor: {
allowedList: [
{
uri: 'http://localhost:4200/api/*',
tokenOptions: {
authorizationParams: {
audience: env.DIP_CLIENT_ID,
},
},
},
],
},
}),
{ provide: HTTP_INTERCEPTORS, useClass: AuthHttpInterceptor, multi: true },
I don’t have access to the company-wide identity provider or its registration with Auth0, so I don’t think I’m able to add audience to the first authorizationParams without getting an “access denied, service not found” error. When I decode the token I get back from “oauth/token”, the audience is the same as the DIP_CLIENT_ID, so I reused that for the interceptor list entry, but using that same value higher up just gives me “access denied”.
The uri for the interceptor entry is the address for my app’s API, not the authentication API. (Right now the URI is listed at localhost because I’m just trying to get this working locally first.) I’ve also tried just “/api/*” and I’ve tried giving the address of a single specific call, but nothing works.
I feel like I must be misunderstanding/getting something wrong with the audience. Can anyone help me?