Non Interactive Client Spring API User Info

rwblackburn · January 15, 2018, 1:10am

I am creating a ReactJS SPA which is packaged for distribution using Electron & Cordova.
The back-end is a Java Spring API server, and i have included the auth0-spring-security-api library the handle the security.

I have set up the API in a very similar way to the Spring Quickstart guide:

Auth0 Spring Boot API SDK Quickstarts: Authorization

The authentication inside the UI works great, as does the API access.

However, I need to know, in the API, which user is making the request. For example, using the above quickstart guide’s scenario; I don’t want getPhotos() to return all photos, only the photos the current user created or owns. To do this, the API needs to have some unique identifier for the current user (even just email address, but user_id would obviously be better). The access_token given to the API is the APIs access token and always has the same sub and “user” info, which is the UI’s “client ID” (not the authenticated user’s info/id). Which makes sense, since this is effectively a machine-to-machine communication.

The only way I can think to resolve this is to capture both the user’s access_token during authentication, along with the API’s access_token, and pass them both to the API with each REST request. For example:

handleAuthentication = (authResult) => {
id_token = authResult.idToken;
user_access_token = authResult.accessToken;
// Fetch the API token
axios.post(`${API_URL}/oauth/token`, FETCH_TOKEN_CONFIG)
    .then((response) => {
        api_access_token = response.data.access_token;
    })
     .catch((error) => {
        throw new Error(error);
    });
};

Then the REST API HTTP headers:

static getHttpConfig() {
   const Authorization = `Bearer ${api_access_token}`;
   const UserToken = user_access_token;
   return {
      headers: { Authorization, UserToken },
   };
}

This would require my API to then call the /userinfo endpoint, passing along that UserToken, in order to know who the actual user is. I would, of course, then store that in a Redis server or some other cache.

However, this seems like a lot of extra steps to me, and a lot of management of user info on the API side. Which leads me to believe I am missing some easier solution.

Is there a better way to handle this? I’m sure I am not the first to run into it, however my reasearch has not found a reference to a common solution to this.

Note: This may be a similar issue to… Get User Data Server Side - what is a good approach? - Auth0 Community

rwblackburn · January 15, 2018, 1:12am

Here is a similar (still unanswered) question I just found: How to retrieve user information in spring-boot service ? - Auth0 Community

konrad.sopala · August 13, 2019, 10:53am

Hey there!

Sorry for such delay in response. We’re doing our best in providing high quality developer support here in the forum but sometimes the number of questions coming in compared to our bandwidth is too big. Sorry for inconvenience!

Can you let me know if you’re still struggling with the issue and need assistance from us?

Thank you!