Redirect SPA to Universal login to obtain a JWT with the audience for my custom API
Use that JWT, in the SPA, to access my API
Decode and validate the token in the API
Now I tried to access the Management API with that token, but encountered “401 Bad Audience”. I have since realised that the JWT sent to the SPA (after login) is meant for SPA<->Custom API communication ONLY.
I can see here that to get an access token the client id and secret are used.
So is this the recommended way to approach this? Once the JWT has been validated then the API is safe to use a machine-to-machine id+secret for backend requests, because we know the user is genuine?
There is mention of build a process at your backend that will provide you with a token automatically (and thus simulate a non-expiring token). Is this something implemented in the laravel package at all? I can’t see anything myself.
The requests between your backend API and the Auth0 Management API are should be separated from the user. You should request a separate token, using the client credentials grant (client_id and client_password in exchange for an Access Token).
The flow would go like this:
User login returns Access Token through the SPA with your backend API as the audience
SPA makes requests to your backend API with the User’s Access Token
Your backend validates the request and token and requests its own Access Token with the Management API as the audience (M2M Access Token)
Backend API makes any request to the Management API with the M2M Access Token
There are two Access Tokens in this scenario.
A token for requests from SPA → backend API (user Access Token)
A token for requests from backend API → Management API (M2M Access Token)
I’m not sure where this is stated, or if this is specific to laravel. I can look into it if you provide a link to the source.
Excellent, thank you. So I just need to follow the docs above then. The build process quote is at the top of that page. I can build my own solution for this, just didn’t want to reinvent the wheel as it were.