Spa oauth flow without user authentication prompt

Our web application development partner for our company’s portal has developed an authentication middleware within the Netlity CDN to authenticate our SPA web application before it reaches the backend API via the Edge API GW.

I find it weird to have custom authentication middleware deployed in Netlify. I’m trying to figure out why they don’t use Auth0 for this. Their explanations are as follows: the middleware is used to authenticate the SPA before it reaches the API GW. Thus the first part of the flow between the SPA and the middleware is done with WAF and LB in an unauthenticated way. No user authenticates at this point. This is an anonymous navigation on the website but the web application must still display content that comes in part from the backend APIs. They say that within the middleware, they use Netlify features to authenticate the app when the user is not logged in. But they will also use it when the user is logged in.

We have to understand here that the application serves web content via GraphQL APIs in front of ContentStack and other LOB backend APIs. When the user is not logged in, the SPA must still call these APIs to render the content.

So my question here is:
Is there an oauth flow the SPA could use (via Auth0) that doesn’t require any user authentication and allows the app to authenticate to get a JWT token? Thus, the application could pass directly to the API GW without having to go through a custom authentication middleware in Netlity.

I thought authentication code flow with PKCE was the solution, but I read that it requires user authentication.
And I read that the implicit flow also seems to require user authentication. And many websites say to stop using this flow if possible because it is less secure.
And if we think of the Client Credential Flow, we fall back, according to my understanding, into a problem of protection of the app secret. So not any better at first sight.

Thank you so much.

Hey there @tojeffraymond welcome to the community!

Interesting use case, I haven’t heard of anything similar personally. The only flow that wouldn’t require any user authentication is m2m. You could proxy a client credentials exchange through a backend via a SPA so that the credentials are handled on a backend and safe.

It’s fairly common for SPAs to proxy calls through a backend to call the Management API for example.This typically involves an authenticated user but I don’t see any reason you could handle this on a backend with an unauthenticated user. Here’s an FAQ that goes into this set up:

Not entirely sure that answers your question, but hope it at least gives some direction!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.