I am wondering which Auth0 2.0 Flow is suitable for our application.
What i found so far is, that there are
Client Credentials Flow
Authorization Code Flow
Resource Owner Password Flow
Authorization Code Flow with Proof Key for Code Exchange (PKCE)
Implicit Flow with Form Post
My candidates are
Authorization Code Flow
Resource Owner Password Flow
But as a newbie, I am not sure. I even may miss something?
I would appreciate any advice to find a proper flow for our application.
The application consists of 3 parts: Front end, REST - API and Database
1. Front end:
Just HTML, CSS, Javascript, running in a HTTP Server.
The front end calls a REST - API via Ajax calls to get data.
2. REST API
Java REST API managed by the Spring Framework with Spring Security 5, running in an application server.
Called by the front end. Provides data to the front end.
Calls the database.
8. Database
Stores the user information (including passwords)
Current authentication: The user adds the credential (username, password) to an HTML page and submit them via Ajax to the REST API. If successful, the REST API returns an access token, which can be used for further requests to get data from the API (see picture).
Judging from your description it sounds like your application most closely aligns with our concept of a Regular Web Application where most of the application logic is happening server side.
In that case I believe the Authorization Code flow would be our recommendation for OAuth 2.0 flow. I can see how the Resource Owner Password flow could also make sense, but it would be our recommendation if possible to stick to a flow that allowed your application to be free from handling sensitive info such as users’ passwords etc.
Hope this helps let us know if you have any further concerns.
I followed your advice to go for the concept of a Regular Web Application with the Authorization Code flow.
I came up with the following communication flow. The question is, does is work like this?
The basic idea is to get an ACCESS_TOKEN from Auth0 via javascript and then use this token to make the API calls.
Getting the ACCESS_TOKEN seems pretty clear to me, but what puzzles me is how the API knows that this token is actually valid? Can my API pass this token to Auth0 and Auth0 “tells” my API the token is valid or not?
Nice diagram for the most part that looks to model the Authorization Code Flow well. For a full sequence of how that dance is done you can refer to this doc:
Let me provide some documentation on calling an API with the Auth Code Flow that I think will help clarify things with your API. The final link on validating access tokens should provide some more explicit steps on how your API can validate an Access Token issued by Auth0. https://auth0.com/docs/flows/call-your-api-using-the-authorization-code-flow
Hope this helps you on your quest, let us know if you have any further concerns!
thank you very much to putting me on the right way. I think I got the point now.
For everybody, who reads this in the Future and does not know about JWT Tokens:
The API does not need to know Auth0 and therefore does not need to communicate with Auth0.
The the API needs to know is the client secret which will be used then to verify if the JWT Token is valid.
Always happy to help! I forgot to mention and you may have already seen it, but once you create your API in Auth0 there should be a ‘quickstart’ tab that will provide sample code for validating a JWT. Depending on what language you’re coding in that could provide a very solid base for configuring middleware that will effectively decode and validate the access token.
I am sorry to bother, but I stuck with getting the jwt token in java script.
The idea is the following: Getting the token in java script, keep it in the session and use it for my ajax calls to my API.
So far I could manage to login with the following code:
After clicking the login button, which calls loginWithAuth0(), I am redirected to the login form from Auth0 and I login successful. Then I am redirected to my previous page with the “code” and “state”: