SPA-Laravel: Management API best practices

FullStackFool · April 12, 2021, 5:04pm

Current setup:

SPA using auth0-spa-js library
Laravel API using auth0/login package

I can:

Redirect SPA to Universal login to obtain a JWT with the audience for my custom API
Use that JWT, in the SPA, to access my API
Decode and validate the token in the API

Now I tried to access the Management API with that token, but encountered “401 Bad Audience”. I have since realised that the JWT sent to the SPA (after login) is meant for SPA<->Custom API communication ONLY.

I can see here that to get an access token the client id and secret are used.

So is this the recommended way to approach this? Once the JWT has been validated then the API is safe to use a machine-to-machine id+secret for backend requests, because we know the user is genuine?
There is mention of build a process at your backend that will provide you with a token automatically (and thus simulate a non-expiring token). Is this something implemented in the laravel package at all? I can’t see anything myself.

Thank you for your help.

dan.woda · April 12, 2021, 5:46pm

The requests between your backend API and the Auth0 Management API are should be separated from the user. You should request a separate token, using the client credentials grant (client_id and client_password in exchange for an Access Token).

The flow would go like this:

User login returns Access Token through the SPA with your backend API as the audience
SPA makes requests to your backend API with the User’s Access Token
Your backend validates the request and token and requests its own Access Token with the Management API as the audience (M2M Access Token)
Backend API makes any request to the Management API with the M2M Access Token

There are two Access Tokens in this scenario.

A token for requests from SPA → backend API (user Access Token)
A token for requests from backend API → Management API (M2M Access Token)

I’m not sure where this is stated, or if this is specific to laravel. I can look into it if you provide a link to the source.

FullStackFool · April 13, 2021, 8:15am

Get Management API Access Tokens for Production

Excellent, thank you. So I just need to follow the docs above then. The build process quote is at the top of that page. I can build my own solution for this, just didn’t want to reinvent the wheel as it were.

dan.woda · April 13, 2021, 4:02pm

Let us know if you have any other questions.

Topic		Replies	Views
How to have spa + JWT auth api? Get Help jwt	4	2251	August 12, 2021
Is the only way to obtain a Management API token via copy and paste? Get Help jwt , api	7	3589	August 8, 2022
Management API access from server API using SPA JWT Get Help	4	2795	October 13, 2020
Validating SPA JWT Tokens in the backend Get Help management-api , clients	2	1383	November 14, 2022
Accessing both User Management API and custom API for SPA using Auth0 Get Help auth0 , management-api	5	4132	February 21, 2019

SPA-Laravel: Management API best practices

Related topics