Hello,
we’ve got Angular App (SPA in Auth0) and .NET Core app (API in Auth0), so it works like on the diagram here (SPA +API scenario) Solution Overview (SPAs + API).
I can’t find any option in the dashboard that allows me to restrict access to API only for this SPA. Something like we’ve got for M2M applications where I can simply select which one should have access to my API. That’s why I’m wondering if our approach is secure.
Does it mean that someone can create other application (other SPA) in our Auth0 tenant and then will be able to generate access token passing my API audience as a parameter and then will be able to access my API resources?
What’s also worth mentioning, on the API side, I’m checking only Domain and Audience from the access token. Is it possible to validate SPA that calls my API somehow?
It’s a little bit confusing to me, I don’t know if everything is good and it’s just my overthinking or there can be some security issues.
Hi there @avenhard! Sorry for the delayed response on this one but wanted to throw out a couple options
Another SPA could retrieve tokens with your API identifier as the audience - It depends on your specific use case, but it may be worth looking into using RBAC and/or adding a custom claim to the access token to include the client_id (event.client.client_id in an Action) which you could add to the check you perform on your end.
Please see this article for more on Actions and the following FAQ related to adding custom claims to tokens:
