I finally have time to resume my project to setup auth0 for my project. It is a continuation of my previous question, and I think I have a clearer question.
auth0 tenant can callback a web application server, putting the auth code in the URL parameters
auth0 tenant can redirect the browser to a pure SPA, putting the auth code in the URL hash fragment
But for a client application, (suppose a python client that has managed to perform step 1, 2, and opened a browser with the correct URL+parameters in step 3) how does the Authorization code get back to the client application? There is no server to callback to. Can the client application contact the Auth0 Tenant to check on the state of the authorization request?
It seems all solutions point to standing up a server that can accept Authorization Code callbacks from the Auth0 Tenant, and somehow relaying them to the standalone applications that need them.
Could you walk us through an example? I am curious why you would not just authenticate through the SPA and request a token for your api, then make requests that way. Can you outline the implementation or flow if possible?
I thought I did a good job of being clear, but I guess my ignorance is greater than I suppose.
First, I would like to confirm that “auth0 tenant can redirect the browser to a pure SPA, putting the auth code in the URL hash fragment” (step 6) is actually an option in the Authorization Code Flow with Proof Key for Code Exchange (PKCE). At least a static Javascript page will be able to read that Authorization Code, and I can proceed with a variation of what I want to deploy. Although, putting codes in the URL seems insecure.
The main use case is this: I have a simple Python script on my Windows machine. It accesses a protected service, so it needs some key to function properly. Right now, I plug in a USB dongle with credentials to get it to run, but that is not secure. I would like to change the script so I authenticate over our company sso, the script gets its Authorization Code, does its work against the protected service, and shuts down. There are no keys on my machine, there are no keys on a usb stick. I think I understand how to implement steps 1, 2, and 3. Steps 4 and 5 are between me and auth0. Step 6 is a mystery. Steps 7, 8, 9, 10 and 11 happen during the script execution, and seem clear.
How do I get the Authorization Code, in step 6, back to my python script?
I read a blog post, and one section seems to have an answer; SPAs using their backend to obtain and forward tokens back to the JS layer; I must set up some service that can “obtain and forward tokens”. I would like to confirm if this is the only way to support authentication on my python script, or if auth0 already has that service available., or if some standard has been issued to guide deployment of such a service so I do not screw it up.
This is not an approached I have been exposed to, let us try and figure it out together!
I think I have a better understanding of what you are requiring now, and it sounds like you would be better off just forwarding the token and letting the python script use it to make the request to the protected resource. This would require that the python function like a backend, but no token or key would persist as far as I understand (to be honest I have not implemented something like this so I can’t be sure).
The other option that may be more tailored to this setup, although not an exact solution, would be the device flow. This will require you to authenticate from the machine and input a code, but may be a solution. It would work like this:
You run the python script
The device (script) requests a code from oauth/device/code
You enter the code to a verification URL and login (via SSO)
the auth server will mark the device (script) as authorized and issue a token
The device (script) will use the token to request resources and delete when finished running
This is the same flow a smart IoT device would use that requires auth. Let me know if that makes sense and if it sounds like a reasonable solution.