Our web application development partner for our company’s portal has developed an authentication middleware within the Netlity CDN to authenticate our SPA web application before it reaches the backend API via the Edge API GW.
I find it weird to have custom authentication middleware deployed in Netlify. I’m trying to figure out why they don’t use Auth0 for this. Their explanations are as follows: the middleware is used to authenticate the SPA before it reaches the API GW. Thus the first part of the flow between the SPA and the middleware is done with WAF and LB in an unauthenticated way. No user authenticates at this point. This is an anonymous navigation on the website but the web application must still display content that comes in part from the backend APIs. They say that within the middleware, they use Netlify features to authenticate the app when the user is not logged in. But they will also use it when the user is logged in.
We have to understand here that the application serves web content via GraphQL APIs in front of ContentStack and other LOB backend APIs. When the user is not logged in, the SPA must still call these APIs to render the content.
So my question here is:
Is there an oauth flow the SPA could use (via Auth0) that doesn’t require any user authentication and allows the app to authenticate to get a JWT token? Thus, the application could pass directly to the API GW without having to go through a custom authentication middleware in Netlity.
I thought authentication code flow with PKCE was the solution, but I read that it requires user authentication.
And I read that the implicit flow also seems to require user authentication. And many websites say to stop using this flow if possible because it is less secure.
And if we think of the Client Credential Flow, we fall back, according to my understanding, into a problem of protection of the app secret. So not any better at first sight.
Thank you so much.