We have a set of microservices using Spring Boot framework. Each microservice is represented by a distinct API in Auth0, which means unique audience per API. The initial benefits of this approach were:
- JWT generated for a given audience can’t be used on a different API.
- Developers can work independent from each other when defining scopes and new APIs.
The challenge we are facing now is having a SPA where users login and access functionalities according to their roles. The users authenticate for a particular audience (API) using the granted type http://auth0.com/oauth/grant-type/password-realm. This SPA needs to communicate with other APIs from the same ecosystem different to the one the user logged in.
We are aware of the following facts:
- Auth0 supports RBAC for API authorization and permissions can be directly assigned to users or via roles containing the required permissions.
- Auth0 doesn’t grant access tokens targeted for multiple audiences
- Auth0 provides a guideline to represent multiple APIs using a single logical API in Auth0 but the aforementioned article doesn’t fit our needs because each API has its own audience and the security configuration for Spring Boot (other frameworks supported by Auth0 as well) requires the audience and issuer to verify the integrity of the token.
JwtWebSecurityConfigurer. forRS256(this.audience, this.issuer)
How can we proceed with the SPA application in order to access multiple microservices behind the scenes – without the user having to do any further authentication except for the initial login?