Hey there, I’m using Auth0 to secure calls to my API.
The project consists of a REST API and an SPA that will call this API.
Authenticated users can share public page of a dedicated resource, this page will ake calls to the API and I need to secure it.
I thought of creating some kind of signing challenge that I can provide to API calls to verify or just a public random string that will be associated with the ressource in the DB.
Or using some generate some kind of JWT that will have the scoped permissions (read) with the same user so that I can filter accessible resources in the API.
Is it possible to sign messages with the Auth0 API that I can verify with public keys, can I use Refresh Tokens or should I use Cryptographic Signing inside my API with a Secret of my own.
Thanks for the help !
To secure calls to your API from your SPA, you can consider using JSON Web Tokens (JWTs) provided by Auth0. Here’s how you can achieve this:
- When a user authenticates with Auth0 in your SPA, you can obtain an access token from Auth0’s authentication service.
- Include this access token as an Authorization header in API requests made from your SPA to your API. This allows your API to validate the token and ensure that the request is coming from an authenticated user.
- In your API, use Auth0’s JWT verification library or a JWT library compatible with your programming language to validate the signature and authenticity of the access token. This involves verifying the token’s signature with the public key provided by Auth0.
- Once the token is validated, you can extract the user’s permissions and other relevant information from the token’s payload to authorize and filter the accessible resources in your API.
By utilizing JWTs and validating them in your API, you can ensure the security and authenticity of requests made from your SPA to your API. Remember to properly configure the audience and issuer settings in the JWT verification process to ensure the validity of the tokens.
1 Like