Is it possible to have a react app (SPA) send an email and password to a node server and then have the node server create the user and get a JWT from auth0, then pass back the JWT to the react app?
The use case for this would be having a single end point for multiple react apps to talk to and sign up with without having to implement any auth0 code across all the apps.
Is there anything wrong with doing the above?
Or is it the case that the react apps (SPA) will each have to talk to auth0 directly in order to create a user and receive back a JWT via the callback?
Any help and clarification on this would be much appreciated.
Are you just talking about signup or would you login with this same flow? Getting the token would require some type of login, as a signup will not return a token in the scenario you described.
If you are talking about signup and login with this method: This is not really recommended. Sending raw credentials via a POST request is possible via the resource owner password grant, but it is usually a last resort. This is for numerous reasons, watch this video if you want to hear why. Have you tried adding Auth0 to your SPAs? Once you do one, it shouldn’t be too difficult to add to all of them. Are you running into specific issues?
If you are just talking about signup: You can use the db signup endpoint to sign up users with just a username, pw, and some other profile info, but you will not receive a token in return. The user will still be required to log in.
“Are you just talking about signup or would you login with this same flow?”
Both signup and then login in the same flow. My understanding is that this could be achieved by signing up the user via db signup endpoint and then using the ‘resource owner password grant’ in the same flow to get the access_token, which would then be returned to the client.
Subsequent logins would require the client to pass the credentials to the node server which exchanges them for an access_token via the ‘resource owner password grant’.
I think what you are saying is that the above is possible but not recommended for the reasons outlined in the video? Is this correct?
From a user experience point of view, when a user submit their username and password, we would like to sign them up AND log them in. We don’t want the user to sign up and then be redirected to the login page to login using credentials they have just entered. Can this flow be achieved by adding Auth0 in our SPAs?
That is correct. In addition, using ROPG sacrifices many benefits of the auth0 service, also outlined in the video.
Yes, using Universal Login, it is possible to achieve this flow. In-fact, it is the default flow. A signup event when using UL also returns a token. I would encourage you to check out our quickstarts. It demonstrates how simple it is to add auth to a SPA.