Auth0 Home Blog Docs

First party SPA using connectors and talking with a first party API


#1

First a disclaimer and an apology: I’ve done a bunch of reading over the last few hours in an attempt to grasp the concepts and best practices before asking my question: the quick start guides, the SPA & custom API guide, the difference between ID Token and Access Token, etc. I can’t seem to wrap my head around it. Sorry.

Next, my goal: I have a SPA. I want end-users to be able to authenticate using either a username and password (using Auth0’s provided username-password-authentication) or one of my two connectors (Google and Microsoft). I have an API that the SPA (and, theoretically, any other consumer) will use to get work done. This API should be able to assess that a user has the proper scopes to perform the actions.

What I need help with: I think I understand that when a user signs in in the SPA, they will be authenticating with Auth0 (for user-pass-auth) or the with Google or Microsoft. The SPA will get an ID Token and an Access Token. The access token’s audience is the SPA, correct? So how do I turn around and authenticate that user with my first-party API so that I can get an Access Token whose audience is the API so that calls can be made in order to do work?


#2

Hi @brewtus

The audience you specify will be your API and not your SPA.

The reason for this is when you make the authentication request to Auth0 you are pretty much saying “I want to authenticate the user so that this SPA (specified by the client_id) can access this API (specified by the audience)”.

This is the reason why you can’t use id_token for API’s since the id_token is intended for you SPA and as such the audience is set to your SPA’s client_id.

You would then send the access_token received by the successful authentication to your API on every HTTPS request using the standard Authorization header with the Bearer <access_token> format.

Hope this helps!