How should I set up Auth0 for Universal Login with a front-end and two apis?

I’m a little new to Auth0 and I think I’m misunderstanding how Applications and APIs are meant to be used respectively.

I have a nextjs front-end which I’ve configured as a regular web application. It works well, built from the library available here:

I also have a strapi cms and another graphql server, so… two backends.

I want to secure the back-ends with Auth0, and I need them to be identity-aware for authorization reasons. So I started by setting up the cms as a machine-to-machine application, and then created an API and added the cms application to it.

Then, in my front end, when the user logs in I simultaneously get an access token as per:

I attach that access token as the auth bearer token in the app’s request to the cms, but I get ‘401 Invalid Token’ from strapi.

In this case, I’m not sure whether it’s strapi or Auth0 that’s misconfigured.

Can somebody let me know whether I’m misunderstanding how Auth0 should be configured, and if so suggest how I should be approaching this?

1 Like

Hey there!

Can I ask you to raise it as a GitHub issue in the repo you mentioned so that the repo maintainers can guide you how to use the stack they maintain to achieve that? Make sure to share the link with us so we can ping them. Thank you!

Hi, yeah I actually raised an issue on their side already, this is the one:

I guess my problem is that I don’t know whether I understand auth0 right.

My goal is that the user logs in with the front-end once, through Auth0, and then is able to make authenticated requests to backend services, including the strapi cms. It’s fine if the app has to do some kind of token exchange in order to make authenticated requests to backend services, and fine if the user has to confirm some extra permissions dialogs once. The back-end services need to be able to get the user profile so they can be identity aware. It’s not okay if the user has to log in more than once.

If anyone can describe how they can achieve that from an Auth0 perspective, that would be wonderful!