0

I'm building an API with a static frontend, and getting tripped-up by auth. I'm considering using Auth0 for some of this, but I'm a little foggy on what happens after authentication.

The SPA and API are on separate hosts.

So, is this close to the sequence of events for successful API access?

  1. A client requests a resource from an API
  2. The API responds that the resource is protected
  3. The client submits login credentials to Auth0
  4. Auth0 authenticates the credentials, and responds with... what? A token?
  5. The client stores this token for future use? (isn't this a recipe for CSRF?)
  6. The client then requests the resource from the API, but this time with the token?
  7. The API recognizes the token, and responds with the resource? Or, does the API have to validate the token against Auth0, for every request, before responding with the resource to the client?

Thanks in advance.

allanberry
  • 7,325
  • 6
  • 42
  • 71
  • Hi, did you see my answer from 2 days ago below? Did it help your understanding or anything still unclear? – arcseldon Aug 29 '17 at 11:10
  • hi @arcseldon , thank you very much for your answer; I have just not yet had a chance to implement your suggestion. It seems clear, and I just upvoted it; I'll mark it as correct when I get a bit more time to work on this pet project :) – allanberry Aug 29 '17 at 18:13
  • Thanks v.much :) best of luck, and of course use the comments if you need clarifications. – arcseldon Aug 29 '17 at 23:49

1 Answers1

1

Basically, your steps are correct - using Auth0 and SPA app for the purposes of descriptions below.

Authenticate with Auth0, and pass an audience parameter in your request with token as the response_type. Here is an example, just swap the {{YOUR_XXX}} parts with your own values. It will send the result to https://jwt.io (you need to add that to your allowed callbacks for the Client using Auth0 dashboard / api.

https://{{YOUR_TENANT}}.auth0.com/authorize?client_id={{YOUR_CLIENT_ID}}&protocol=oauth2&redirect_uri=https://jwt.io&response_type=token&scope=openid email&audience=https://{{YOUR_API_AUDIENCE}}&nonce=123&state=xyz

See here for docs on this.

Yes, the SPA client typically stores the JWT access token in local storage. This offers better protection from CSRF than using a say a cookie. Then uses the returned JWT Access Token to make authorized requests against the API (typically by sending as Authorization Bearer header). The API requests are stateless and the Bearer token (the JWT access token) needs to be verified on each request - Issuer / Signature / Audience / Expiry - Auth0 strongly favours RS256 over HS256 - and has libraries / SDKs which abstract away the low-level details. For instance, using Node.js (Express) this is as simple as adding some middleware to Passport. Quite a good writeup on RS256 vs HS256 here.

For a complete sample, using Node.js / Express, recommend this sample.

Hope this helps, feel free to leave comments if anything still unclear.

arcseldon
  • 35,523
  • 17
  • 121
  • 125