Hi,
I am trying to use Actions to do a pre-signup action, as well as a single web app.
I would like to create a token inside the actions, to ensure to my backend that the request originate from Auth0 actions. It is basically like this:
exports.onExecutePreUserRegistration = async (event, api) => {
const response = await fetch(`https://DOMAIN/oauth/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
"audience": "http://localhost/api",
"grant_type": "client_credentials",
"client_id": "MACHINE_TO_MACHINE_CLIENT_ID",
"client_secret": event.secrets.CLIENT_SECRET
})
});
const accessToken = (await response.json())['access_token'];
console.log(accessToken);
};
This works well, but this now means that my backend will recieve API requests from two clients:
- Actions will send API requests signed with the M2M application (with the application secret).
- SPA will send API requests signed with the SPA application (with the API audience0.
Is this assumption correct? Does this mean that in my backend I am supposed to have two Auth0 object (one with the M2M secrets, and one with the SPA secret)? Or am I missing something in the flow here?
Thanks!