- SPA using auth0-spa-js library
- Laravel API using auth0/login package
- Redirect SPA to Universal login to obtain a JWT with the audience for my custom API
- Use that JWT, in the SPA, to access my API
- Decode and validate the token in the API
Now I tried to access the Management API with that token, but encountered “401 Bad Audience”. I have since realised that the JWT sent to the SPA (after login) is meant for SPA<->Custom API communication ONLY.
I can see here that to get an access token the client id and secret are used.
So is this the recommended way to approach this? Once the JWT has been validated then the API is safe to use a machine-to-machine id+secret for backend requests, because we know the user is genuine?
There is mention of
build a process at your backend that will provide you with a token automatically (and thus simulate a non-expiring token). Is this something implemented in the laravel package at all? I can’t see anything myself.
Thank you for your help.