SPA website + rest api service

marco.arrigo00 · March 19, 2020, 12:45pm

Hi there,

I’m fairly new to auth0 and I’m trying to understand how to use it in my case.

I’m running a pay per use rest api service. To use it the users have to first open an account on my website (SPA), navigate in the profile page and get the API key. The api keyia then inserted in each call they made to the rest api service.

The login in the website is made through the auth0 universal login page.

Now I would like to replace the custom API key management with one of the auth0 flows(I guess I have to use the client credential grant, right?)

But, how to do that? How do I get a client id and a client secret for each of my users? Should I create one third party application for each of them?

At the moment some actions on the website are performed with an access token provided from the auth0 API that I called /website. Should I create Another auth0 API that issue tokens to be used only with my rest api service (keeping the website and the rest api service separate)?

john.gateley · March 19, 2020, 3:03pm

Hi Marco,

Could you just use a normal Auth Code + PKCE flow and user sessions? Your users would call the API with their access token, and when it expires they will have to get a new one.

John

marco.arrigo00 · March 19, 2020, 3:19pm

The problem is that when the token expires they should be able programmatically to get a new access token. Can I use a refresh token? This means each of my user will get a refresh token to create new access tokens to be used with the API but also they may use to login in their account through the website.
Personally I do not like the idea at all

john.gateley · March 19, 2020, 3:32pm

So, the question is when these API calls are made, and from where.
Are they made in isolation (not part of your web app, but perhaps included in users’ apps)?

I think this is the case. If so, then client credentials is the right flow. Instead of an API key, you’ll have to create a Machine to Machine application for each customer, and that is how you secure your system and track usage.

If that is not the case, then you are back to a user based flow like auth code, with sessions and possibly refresh tokens.

John

marco.arrigo00 · March 20, 2020, 8:03am

Yep this is the case.

OK I’ll create a m2m application for each user.

When my user will ask for an access token (with their credential) I would like to insert their user id as claim of the token (not the clientid of the application!)

How can I perform that? I was thinking of naming each application with the userId and then use a hook to add the client name as a claim into the access token. Is that the correct way?