Auth0 Home Blog Docs

SPA user can't access API

Hi all,
I’m working on a app with an Angular front and a Spring API.
I’ve got a SPA with the domain —.–, and an API, let’s call it Local with audience http://localhost:8080 for my tests.

The flow is as such :

  1. User access Front
  2. Front redirect to auth0 for authentication
  3. Auth0 redirect to Front with access_token, id_token…
  4. Front calls Back on user’s event with the id_token as token bearer
  5. Back check id_token to auth0 <-- KO
  6. Back answer to Front

It breaks at step 5. When the API is called locally (curl) with the test token provided in Local (Test Application) it works fine, but when it’s called with an actual token from step 3, access is denied.

It seems that my “front” user don’t have right to access the api. In the API configuration, issuer is set as —.–, and apiAudience as http://localhost:8080, which is the api identifier.

Am I missing some configuration ? Is it actually possible to call the API with the same token that the front received ?

– EDIT :
full solution a bit further in the discussion (link : SPA user can't access API )

From your explanation, I believe you are defining a custom Auth0 API, right? I mean, you are defining an identifier to it (http://localhost:8080), and you are trying to make the frontend app consume it with an idToken?

If that is the case, this is exactly your problem. You should be using access tokens instead. Check this link:

I hope that helps!

1 Like

Thank you a lot, it’s better with the access token. It’s better but it’s not good.
Tokens are accepted (by opposition to a random string) but access is still refused and the debugger tells me that user is anonymous.

To be honest, access tokens don’t look like JWT at all, they’re just 32 characters strings, and can’t parse them. The test token (an actual JWT one) works, but not the access tokens I get from the Front.
I don’t know if the front asks for an incompatible access token, or if the back isn’t configured to read them.

– EDIT :
There was a bit of configuration missing on the front part, access token is now a valid JWT. Access is still denied for the reason “user is anonymous” tho.

If you are getting an access_token on the JWT format, then you are a bit closer. I believe you are using auth0.js on the frontend, right? If so, can you paste your config here so I can check?

After further investigation, the “scope” part was not defined on SPA side, there was just empty quotes as this part was not implemented yet. I added ‘openid’ for now but I will look more deeply into this. The sub can be loaded as Security context name, so the initial issue is solved.

Full solution :

  1. Implementing this tutorial :
  2. Changing the frontend configuration to add a) the api audience, and b) a scope (‘openid’ seems enough as a minimal implementation)
  3. Using the returned access_token to call the api

Oh, awesome. I’m glad you solved your problems. Here goes a couple of links that might help you:


Let us know if you need help.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.