Auth0 Home Blog Docs

Help with Authorization flow choice for Angular SPA & Spring API



I am new to the tech stack mentioned in the question, as well as the concepts of Auth0. I have gone through Auth0 and OAuth2 documentation and have a partial conceptual understanding. My aim is to secure my backend API.

After going through Auth0 documentation, I came to understand that implicit-grant is a good option for my use case because I am using a (Single Page App) SPA with API. However, I am now confused about the best approach to take because of these questions:

  1. Is it possible to use the implicit grant flow to secure my (Spring) API so that my (Angular) Client can identify itself to Auth0 and access my API, without having a user based authorization? This is because in my use case, while I want only the clients I own to be able to access my API, I also want a user to be able to login during any point of their visit, as a separate, optional feature. So (if I understand this correctly,) user login cannot be a method of authenticating client itself, and from the examples I have seen for SPA + API, they are all user based login.

  2. Since I want my client to be authenticated and then authorized to use API resources just like client-credentials flow for machine-to-machine access,

    A. What are the security & feasibility pros and cons if I try an approach of a node.js backend hosting angular on the client side, where node prefetches an auth_token from Auth0 server and then (securely?) sends that token to my client, so that client can then make authorized calls to my API (using authorization header in its requests).

    B. What kind of mechanism can I create such that only my Client can request the auth_token from my Node sever?

  3. In both client-credentials flow and implicit grant flow, the client has the auth_token (and/or) id_token which can be easily obtained in an SPA. What are best security practices to handle these tokens?


For clarity, what I am trying to achieve is to secure my API endpoints and allow access to API resources only to my first class clients which right now is a SPA built using Angular. I want to provide authorization process for the client itself, without a user requiring to log in. The user may optionally log in at some later point after the client has authenticated itself against the api using Auth0 and made calls to the APi.