Basic question on PKCE - use a guest/public user

nlthoelen · April 2, 2024, 3:07pm

Hi

I am quit new to Auth0. So this is probably a very silly and simple question but I am not figuring out how to solve this.
I have a react spa
Which is calling a backend API where endpoints are protected by Auth0

When a user is using the spa, he is not forced to login. In that case, we assume he is working as a ‘public’ or ‘guest’ user. He can only see info which is available for public/guest users.

But after he logs in, he will get some extra features in the app and is able to consult some personalized info.
So I figured out how to use the SDK to provide a login screen using the PKCE flow. The API gets the authorization code and I 'm able to see which user is signed in.
But, what with the guest/public user. Is there a way to get an authorization code for a so called guest/public user silently ?

I have been looking in the docs, but still not figured out.

Thanks

nlthoelen · April 3, 2024, 4:23am

I do not know if this is the best solution. So I created a separate endPoint getGuestToken in my API which is public available. Next, in Auth0, i created a M2M application. Within the getGuestToken endpoint I call the authorize of auth0 to get an accessToken. Seems to work.
Next challenge:

Protect the getGuestToken endPoint so it can only be called from the SPA url
In the SPA, I am still figuring out how to use the returned authorization code together with the auth0-sdk.