I’ve used Auth0 Lock in the past with great success. It was super easy to setup for a web application.
This time around I need to secure a Node REST API where there is no web/ios/android client.
I found links over to the auth0 npm module. I created a prototype server with the module, but it doesn’t seem to do what I was hoping it would. I’m looking for a way to create and login users 100% via Node.
So users would signup by hitting my Node app route POST /signup with their username and password. I’d then make some sort of call to Auth0 to get them in the system. I’d get a token back from Auth0 that I can send to the user that they can use with future requests. There would also be a POST /login where the user can pass the username and password via the request body.
It seems like there is no way to do this without a web/ios/android client. I just wanted to confirm if that was the case or not.
The recommended approach would be for you to treat your Node REST API strictly as an OAuth2 resource server. What this means is that the API itself would not care or be responsible for dealing with user credentials or exchanging them for tokens. It would delegate that to the OAuth authorization server (in this case your Auth0 subscription). You can accomplish this part by following the Node (Express) API quickstart.
Having done the above, the responsibilities (and actual endpoints) for POST /signup and POST /login would be transferred to:
Given that the /oauth/token endpoint above is compliant with OAuth2 this would allow for you end-users to use higher-level REST API clients that have OAuth2 support as a way to quickly consume your API. Have in mind this would be suitable for very simple scenarios, advanced scenarios where you would be just the provider of the API and you would leave to others to create and build client applications that specifically target that API would likely involve the use of third-party clients and dynamic client registration.