[英]Auth0 Authenticate client App to consume external API
I have a SPA
in React that make calls to an external API
like: GET https://myapi.com/api/items/1
or GET https://myapi.com/api/items/
. 我在React中有一个
SPA
,可以对外部API
进行调用,例如: GET https://myapi.com/api/items/1
或GET https://myapi.com/api/items/
。
In myapi.com
server, the routes are secured with oAuth2 using express-jwt
and auth0-api-jwt-rsa-validation
, son only calls with Header: { Authorization: 'bearer ' + token }
respond with a status 200. 在
myapi.com
服务器中,使用express-jwt
和auth0-api-jwt-rsa-validation
oAuth2对路由进行保护,子级仅使用Header: { Authorization: 'bearer ' + token }
调用Header: { Authorization: 'bearer ' + token }
以状态200响应。
If I'll consume these calls from a server side application I could obtain the token
from POST https://myapi.auth0.com/oauth/token
passing client_id, client_secret, grant_type and audience
. 如果我将使用服务器端应用程序的这些调用,则可以从
POST https://myapi.auth0.com/oauth/token
获取token
,并传递client_id, client_secret, grant_type and audience
。 But since the application is client-side I think there's a best approach, avoiding to expose client_secret
and so on. 但是由于该应用程序是客户端,所以我认为有一种最佳方法,避免公开
client_secret
等。
I tried the implicit-grant approach but I am dealing with the callback_uri
and other confusing stuff. 我尝试了隐式授予方法,但是我正在处理
callback_uri
和其他令人困惑的东西。
The main idea is to allow the Application , say https//myapp.com/list
to consume the API
like GET https://myapi.com/api/items
(without users, without passwords). 主要思想是允许应用程序 (例如
https//myapp.com/list
使用GET https://myapi.com/api/items
之类的API
例如GET https://myapi.com/api/items
(无需用户,无需密码)。
The points: 要点:
oAuth2
in my Application? oAuth2
位置和位置是什么? ( onEnter
the top level route, on componentDidMount
?) and onEnter
顶级路线,在componentDidMount
?上)和 Since I asked this question in the Auth0 Community I think could be useful for other to share the answer . 自从我在Auth0社区中 问了这个问题后,我认为其他人分享答案可能会很有用。
For my usecase, the mos important part is 对于我的用例,mos重要的部分是
You reached the right conclusions;
您得出正确的结论; the use of the token endpoint either for client credentials grants or resource owner password grant (ROPC) is not recommended for a SPA [...] This means that if you want a SPA to access an API without the notion of a user, then that API needs to be public.
SPA不建议将令牌端点用于客户端凭证授予或资源所有者密码授予(ROPC)[...]这意味着如果您希望SPA在没有用户概念的情况下访问API,则该API需要公开。
So, in my case I'll make the API public or think in some user/password implementation. 因此,就我而言,我将公开API或考虑一些用户/密码实现。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.