Auth0 Home Blog Docs

Client AUth with Securing REST API


#1

I wonder if someone can help me out.
I created SinglePage app that I am using from Angular all works as expected. Now I have created new API on the serverside (java, spring) and I would like to secure it when client makes the calls.

I have created new API and I connected this api application, but still it does not work.

What I tried to test i used the Token retrieved to angular client into the curl command. to test /private api based on this example:

I have configured indentifer with the correct one.

When I try to obtain token manually using curl command described in the LINK, auth works.
But not if I tried to use token retrieved to client that, copying this token and using it on the CURL.

Is there need some additional settings? I just need server to verify only.
I dont really want to generate token on the server side, I want client to create this.

Thank you so much.

Frank


#2

:wave: @frantisek.kolar1 if I understood correctly, you have an Angular application that you want to be able call your API that is on your server (written in Java/Spring)? I would suggest using the Implicit Grant to communicate between your SPA (single page application) and your API. We could setup the API in Auth0 Dashboard. After, we can get consent from the user to invoke the API. Then we will need to extract the access token that is returned. Once we have the access token, we can call our API.

Would this be suitable for what you are trying to achieve?

Further resources on the Implicit Grant, SPAs, and APIs:



#3

Thanks all alot for your feed. I need to got thru all these materials. As I am not sure where to start…


#4

@frantisek.kolar1 sure thing! Ill try to provide a bit more helpful steps, as I feel my post before might be too vague and an overload of information. Let me know what steps you have done, what you have tried so far, and where/when you get stuck!

You said you have an angular application, have you setup the application to authenticate with Auth0? We have some quickstarts for Angular (AngularJS , Angular 2) that discuss authentication and logging a user in.

In the application, when it makes calls to your API, you’ll need to provide a token to authorize the application to do so. So, what we can do is have our angular application authenticate via the Implicit Grant flow (described in links) upon which we will receive an access_token and id_token. We will need to send that access_token to our API. I believe the quickstart sets the audience to the /userinfo endpoint, we would set it to our api (value being audience: 'YOUR_API_IDENTIFIER',). Once we send the access_token in the authorization header to our API, we have our API will validate it and allow the application to make requests.

Does this sound like what you are trying to retrieve? Apologies for all the questions and information overload!


#5

No no. Your asnwer was excellent. it is just that I need to go thru the links you sent me and I can more specific question. :wink: