Your basic client flow is the de-facto use case for APIs
authentication.
Basically you need to create a new API in the Dashboard => APIs
section and use the base URL of your API server in the Identifier
field. This will be reffered as Audience in your
access_tokens
. Please use RS256 as signing algorithm (default one).
The next thing you need to request an access_token
which is signed for that
specific audience. Depending on the client architecture you have
(web application, SPA, mobile app, etc) you need to use the
appropriate grant type in order to retrieve your access_token
.
Since you are using the “Resource Owner Password
Grant” you can find more details about APIs invocation using this grant type here.
An example request for such a token would be the following:
curl --request POST \
--url 'https://{YOUR_AUTH0_DOMAIN}/oauth/token' \
--header 'content-type: application/json' \
--data '{"grant_type":"password","username": "{USERNAME}","password": "{PASSWORD}","audience": "{YOUR_API_AUDIENCE}", "scope": "openid create:timesheets write:calendar", "client_id": "{YOUR_CLIENT_ID}", "client_secret": "{YOUR_CLIENT_SECRET}"}'
By specifying the scope openid
you will get an id_token
as
well. The other scopes should be the scopes to access the
different endpoints of your API. You can always modify this scopes
via a rule and set them according to your user_metaedata like
this:
var roles = user.app_metadata.roles;
if (roles.indexOf("admin") >= 0) {
context.accessToken.scope = "create:users delete:users read:users";
}
This access_token
is the one which will be sent to your API
server for authentication and contains the allowed scopes. The
token validation must be done by retrieving the pubic key from
Auth0 using the public key from your API in the following
endpoint: https://YOUR_DOMAIN/.well-known/jwks.json
. You can
find some examples in the Quick Start tab from your API
configuration settings in Auth0’s dashboard.
Once the issuer and signature have been validated you must validate
the scopes from the token against the invoked endpoint. If the
token does not contain the scope required to execute the current
endpoint an Unauthorized HTTP code (401) should be returned.
Also, when will the current delegation
flows be deprecated and shut off?
We are working on some new documentation that should explain the new flows more clearly. We will not stop the old delegation flow from working without plenty of notice, and the official deprecation won’t even start until we have provided more comprehensive documentation.