I have worked out the asymmetric (RS256) auth0 scheme for:
Google login -> React SPA -> API
This works well. However for this small store site I have a customer requirement to handle “anonymous” purchases. As in a customer can order from the site, the transaction is handed off to PayPal and the store keeps no user information at all so no order history, etc.
Without some sort of login to auth with how should I authenticate the React/API communication? I have several ideas but I am wondering what best practice is.
Edited: meant to state RS256…
Should I create a machine-to-machine setup/application via auth0 to handle the communications between the React UI and the Go API, and then setup a SPA app in auth0 just for the social connection login, and simply piggyback that social client info on top of the machine-to-machine connection (or anonymous) as needed?
It looks to me like this can not be done securely. According to the blurbs on the Pricing section of auth0.com it looks like my best bet to start with is the Developer option so that, if no social connection logins are available for a customer, they will have to setup a username/password account via auth0.