I have a NodeJS API which I want to link with Auth0 for authentication and authorization. So I created a client and an API on the Auth0 daskboard. I set up /login endpoint which lets the user log in to a website and it is working well. I can restrict the logged in users to access only some parts of the website. However, I want to enable this user to use an API which my backend exposes. My backend checks for a valid jwt token to authorise a user. How can the user get a jwt token and gain access to the API? What should be the grant_type and the flow to be followed?
The exact flow and gran type used will depend on the exact characteristics of the client application. You can check the following documentation for guidance in which flow you should go with:
In addition, in order to get an access token suitable to then call your API you will need to include the audience
parameter as part of the initial authentication/authorization request and the value should be the identifier you configured for your own API.
The previous documentation includes links that demonstrate how to execute each of the flows.
I was missing the audience
parameter. I have got a working API now. However, I still didn’t understand how an end-user can access this API. Should the Client ID and Client secret be shared with all users registered on my site, who wish to access my API?
In general, there would be a client application where end-users would authenticate and then perform actions that would interact with the API. Basically, the client application would be the one actually performing API requests, although, it would be doing those on behalf of end-users. You mention a website so this would be your notion of client application. If you want to give direct access to the API to end-users then that it’s a different subject and it will depend a lot on all the details.