I’m new to Auth0. I have a front-end app and a back-end API, running on different domains.
If a user logs in to my site via the browser, I get a code back in the query string of the callback. The docs say I should resolve this to a token. Should this be done on the client, or should the code be sent to a back-end endpoint and the request to retrieve a token done there?
Having got the token somehow, I presume I should send that token to any and all requests to my back-end API. My API would then have to fire a request to Auth0 to validate the token i.e. check the user is logged in and that the API request is legal. Would I have to do anything special in Auth0 settings to enable this check from a separate domain other than that registered under my Auth0 application, or can this request come from anywhere, provided it’s sent with the Auth0 account credentials?
I don’t want users to be able to sign-up freely. Only users in my own DB can login. How do I tell Auth0 to check that DB when deciding whether a login request is allowed?
client gets an ID token, then you can use it to get an access token from Auth0. you can use this access token for your API. if you are using react SDK, there is a method getAccessTokenSilently. ref.: Auth0 React SDK Quickstarts: Call an API
there is a way to disable sign ups, Authentication → database → disable sighn-ups
We’ve got a bunch of quickstarts to help get you up and running with sample apps quickly. Additionally, I find our architecture scenarios docs very helpful as a high level overview.
Most Auth0 SDKs provide methods for accomplishing this - It may be helpful to check out 1 of our many quickstarts.
An ID token is not used nor required to get an Access Token from Auth0. Again, it depends on the technology you are using but any of the aforementioned quickstarts should be helpful. Our developer guides should be helpful as well - See React for example here.
With signups disabled and your DB users imported, only those DB users will be able to log in.
Hope this helps get you rolling in the right direction!
@tyf - I did follow the “Node.js API Authorization By Example” but found it had issues. Specifically, I got an error, “AssertionError [ERR_ASSERTION]: An ‘audience’ is required to validate the ‘aud’ claim”, when starting the app, crashing it.
Hey there @kkrp1 no problem, I’m happy to help where I can!
Assuming you are following this guide, the error specified leads me to believe that you haven’t added an audience value as an environment variable. Please see the section titles “Define the Auth0 environment variables”:
