Confused on how to implement this architecure

I’ve got a 2 server configuration for my application where one server is running my angularJS UI and the other is running a spring API. I’ve got the angularJS one working with the help of the Single App Page Quick start and used the API/machine to machine quick start for the Spring backend. So, my question, is that it appears I have to authenticate both with Auth0 from the AngularJS side to login, and then again to authenticate with the Spring API before accessing it’s endpoints, but is this how I should be doing this?

Hi @brockmei,

You really only need to authenticate with the SPA, the pass the resulting access token to the API for authorization.

Take a look at this scenario for a detailed example:

Hope this helps!

Thanks,
Dan

Hi @dan.woda,

Could you please explain the pros and cons of using the SPA + API flow compared to:

  • Complete user auth through SPA (with a SPA Application through Auth0)
  • Sending the users access_token with request to your backend
  • Send that access_token to https://auth0Username.auth0.com/userinfo with the Authorization: Bearer ${access_token} header

The flow I just described only requires a single Application registered through Auth0 using a SPA and does not require you to create an API through Auth0.

Hi @bbenefield89,

Welcome to the Auth0 Community Forum!

The backend and an API could serve different functions. How you craft the structure is going to depend largely on the requirements of you application.

From the doc mentioned above:

An API endpoint is a unique URL that represents an object. In order to interact with this object you need to point your application towards that URL. For example, if you had an API that could return either order or customers, you might configure two endpoints: /orders and /customers . Your application would interact with these endpoints using different HTTP methods, for example POST /orders to create a new order, or GET /orders to retrieve the dataset of one or more orders.

This type of service allows you the flexibility and control that your backend might not. In scenario where you have multiple applications or services that need access to a resource (the orders or customers in this example) an API will likely serve you better than a dedicated backend.

Another pro of having registered APIs and associated scopes is access management. Assigning users roles (a build in function of Auth0 role based access control) will allow you to manage what your users have access to.

That isn’t to say that this couldn’t be done with a backend, but that it could provide challenges when scaling.

Think about creating a SPA, mobile app, and desktop app that all require access to the same resource, in that instance an API is going to provide flexibility.

There is not going to be one right answer here, and I’m sure others may have opinions or critiques.

Hope this helps!

Thanks,
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.