Auth0 Home Blog Docs

Obtaining tokens in server-side component

jwt
database
serverside

#1

Our customer need to obtain a JWT token from Auth0 on server-side. I assume they need to call https://{YOUR ACCOUNT}.[eu|au].auth0.com or similar with username and password?

I assume it something similar to Form POST to https://app.eu.auth0.com/usernamepassword/login with response_type, connection, username, password, client_id.


#2

The most suitable solution will depend on the exact details, but for example a confidential client like is the case of a server-side component can exchange a username and password for tokens by performing a resource owner password credentials grant (using the /oauth/token endpoint).

Another possibility, if the server-side component can leverage a browser-based flow would be to use the authorization code grant.

Finally and for completeness, if the server-side component in question does not need or is not associated to any notion of end-users then it can make use of client credentials grant as a way to obtain access tokens suitable to call the specified API on behalf of the client application itself


#3

I think I misunderstand something. When I look at those examples they either contain

  • “client secrets” which means the solution is made on our serverside to protect the client secrets
  • “user password” which means our serverside needs to handle the user’s password

Isn’t there a solution where our customer directly connects Auth0 with their username and password to obtain the JWT-token.
Or should our serverside create a service which handles our customer’s password and connect to Auth0 for a JWT-token which is returned to our customer?

Thanks


#4

I think I misunderstand something. When I look at those examples they either contain

  • “client secrets” which means the solution is made on our serverside to protect the client secrets
  • “user password” which means our serverside needs to handle the user’s password

Isn’t there a solution where our customer directly connects Auth0 with their username and password to obtain the JWT-token.
Or should our serverside create a service which handles our customer’s password and connect to Auth0 for a JWT-token which is returned to our customer?


#5

Your customer can call /oauth/token directly and execute the ROPC grant, however, it will need to do so with information about which client application is performing the call. If you want to restrict the ROPC grant to confidential clients only as an added security measure then the customer would need to have the client secret also. Given you should not be giving client secrets of your own application to third-parties this would imply that you should probably create a client application in specific to represent your customer.


#6

Thanks!
I consider my options. I’m thinking of creating a authorization service my client use to get an access token. The service will keep our secrets.


#7

Since there’s a single customer using this service I’ve decided to give them my Auth0 client id and secret to use the Authentication API. Thanks


#8