Auth0 Home Blog Docs

How to consume authorization extension API from SPA application?

Is there any way to use auth ext API from https://auth0.com/docs/api/authorization-extension using SPA application? How to make our access_token in our SPA include access to auth ext API?

I want to avoid server side scripting. I guess that putting client secret of the auth ext API inside my angular application will produce security risk.

Hi there @andre.hermanto93! I checked with a senior team mate on this one and you can leverage a machine to machine app in Auth0 and have it do the client credentials grant. Keep in mind this will run every auth so you will need to setup context for when it should run. I’ve linked documentation below that should help provide insight on your quest. However If I am totally off base with your desired workflow please let me know. Thanks!

I was hoping to touch base @andre.hermanto93 and see how things are going. Do you have any additional questions on this front? Thanks in advance!

is there any way i can access this from my Angular application(FE) securely? I read on https://auth0.com/docs/api-auth/tutorials/client-credentials it says that I need to put client secret and client ID to ask for the token, that means I will expose the API to the everyone which is not a good idea.

You won’t have your Client secret open to the public as it will be within your backend. As the document states:

The Client Credentials Grant (defined in RFC 6749, section 4.4) allows an application to request an Access Token using its Client Id and Client Secret . It is used for non interactive applications (a CLI, a daemon, or a Service running on your backend) where the token is issued to the application itself, instead of an end user.