I’m working on a app with an Angular front and a Spring API.
I’ve got a SPA with the domain —.–.auth0.com, and an API, let’s call it Local with audience http://localhost:8080 for my tests.
The flow is as such :
- User access Front
- Front redirect to auth0 for authentication
- Auth0 redirect to Front with access_token, id_token…
- Front calls Back on user’s event with the id_token as token bearer
- Back check id_token to auth0 <-- KO
- Back answer to Front
It breaks at step 5. When the API is called locally (curl) with the test token provided in Local (Test Application) it works fine, but when it’s called with an actual token from step 3, access is denied.
It seems that my “front” user don’t have right to access the api. In the API configuration, issuer is set as —.–.auth0.com, and apiAudience as http://localhost:8080, which is the api identifier.
Am I missing some configuration ? Is it actually possible to call the API with the same token that the front received ?
– EDIT :
full solution a bit further in the discussion (link : SPA user can't access API )