I am creating a ReactJS SPA which is packaged for distribution using Electron & Cordova.
The back-end is a Java Spring API server, and i have included the auth0-spring-security-api
library the handle the security.
I have set up the API in a very similar way to the Spring Quickstart guide:
The authentication inside the UI works great, as does the API access.
However, I need to know, in the API, which user is making the request. For example, using the above quickstart guide’s scenario; I don’t want getPhotos()
to return all photos, only the photos the current user created or owns. To do this, the API needs to have some unique identifier for the current user (even just email address, but user_id
would obviously be better). The access_token
given to the API is the APIs access token and always has the same sub
and “user” info, which is the UI’s “client ID” (not the authenticated user’s info/id). Which makes sense, since this is effectively a machine-to-machine communication.
The only way I can think to resolve this is to capture both the user’s access_token
during authentication, along with the API’s access_token
, and pass them both to the API with each REST request. For example:
handleAuthentication = (authResult) => {
id_token = authResult.idToken;
user_access_token = authResult.accessToken;
// Fetch the API token
axios.post(`${API_URL}/oauth/token`, FETCH_TOKEN_CONFIG)
.then((response) => {
api_access_token = response.data.access_token;
})
.catch((error) => {
throw new Error(error);
});
};
Then the REST API HTTP headers:
static getHttpConfig() {
const Authorization = `Bearer ${api_access_token}`;
const UserToken = user_access_token;
return {
headers: { Authorization, UserToken },
};
}
This would require my API to then call the /userinfo
endpoint, passing along that UserToken
, in order to know who the actual user is. I would, of course, then store that in a Redis server or some other cache.
However, this seems like a lot of extra steps to me, and a lot of management of user info on the API side. Which leads me to believe I am missing some easier solution.
Is there a better way to handle this? I’m sure I am not the first to run into it, however my reasearch has not found a reference to a common solution to this.
Note: This may be a similar issue to… Get User Data Server Side - what is a good approach? - Auth0 Community