I am having spring-boot powered REST Apis which are used by my Single Page Application build using React.js.
I now want to add authentication layer to it. I am already using JWT for it but I need to replace it with Auth0. But I am very much confused on how the flow should be like. All the API endpoints are secured and only authenticated user have access to them.
Since Auth0 also provide browser support where everything from login, signup redirect etc are handled out of the box my Auth0, should I use IDP directly into my browser client or should the backend(REST) handle these?
Every request to the backend should be validated for authentication.
The React app can use the ID Token to find data on the user such as their name, email, etc. The Access Token is used for calling an API.
When you register your API with Auth0 and provide an audience when you initialize the Auth0Provider, then Auth0 will issue you a JWT Access Token that can be used with your API as a bearer token. Your API can validate the JWT Access Token to ensure it was issued by Auth0.
Since it sounds like you have multiple APIs and you can only pass one audience to the Auth0Provider, you may want to look into this solution: Configure Logical API for Multiple APIs
Thanks for your response.
Shouldn’t the backend API be responsible for connecting with Auth0? I don’t want to redirect to the Auth0 login page. In that case everything should be handled by my backend API, shouldn’t it?