Correct way to make authenticated calls for binary data in image tags

adammtlx · March 4, 2020, 5:03pm

I’m building an application which uses a Spring Boot back end and a Vue SPA front end. Due to some lack of clarity in the documentation, I’m currently using the implicit flow (could use some clarity on what flow/quickstart should have been used in this case as well), which means my SPA retrieves the JWT auth token from Auth0 and sends it to my back end in the Authorization header. My Spring Boot back end then uses a JWT library to handle the token, authenticate it, and allow or deny the request.

This mostly works, although I’ve been forced to do some roundabout nonsense in the Vue front end to ensure the auth token is available before I make any calls, since on page refresh it goes out and retrieves a new token, which takes some time. The real problem is that my back end needs to be able to serve up binary data into HTML via <img> tags. When these requests occur they cannot, of course, attach the auth token header. Note that these are not static assets residing in either the front end or the back end. The back end is acting as a proxy for images located elsewhere that need to be displayed on the page, and they are highly dynamic and specific to the user in question.

I’ve dug around the documentation for a while and it’s still not clear to me how this problem should be approached. It seems likely that I need cookie or query parameter authentication, but I can’t find anything in Auth0’s documentation that would point me in the right direction to implement either in my situation. Any suggestions?

dan.woda · March 6, 2020, 2:51pm

Hi @adammtlx,

To confirm, you are making the call to your API via <img src='{API_ENDPOINT}> and you want to authenticate that call?

Let me know,
Dan

adammtlx · March 6, 2020, 3:03pm

Yep, that’s exactly what I’m looking to do.

dan.woda · March 6, 2020, 3:34pm

I don’t think you will be able to add the token as an auth header to the src attribute.

And getting the img in an AJAX request is out of the question?

mathiasconradt · March 6, 2020, 5:33pm

Since you’re using Vue.js, wouldn’t this work (not tested myself):

I’ve seen other approaches such as mentioned on

From the browser, make a post request to backend, let them know you are an authorized client (include the authorization header), and ask for a temporary url that will show the image publicly

From the backend, generate a signed url that is valid for a limited time and does not require authorization headers to show the image.

but if the Vue.js package above works, I think it would be the easiest.

adammtlx · March 9, 2020, 4:32pm

The vue-auth-image looks promising. I actually already tried loading the binary data directly into the src attribute but ran into some issues, but this may solve them. Thank you!

dan.woda · March 9, 2020, 5:25pm

Let us know how it goes!

dan.woda · March 24, 2020, 5:26pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.