Auth0验证客户端应用以使用外部API

Question

I have a SPA in React that make calls to an external API like: GET https://myapi.com/api/items/1 or GET https://myapi.com/api/items/ .

In myapi.com server, the routes are secured with oAuth2 using express-jwt and auth0-api-jwt-rsa-validation , son only calls with Header: { Authorization: 'bearer ' + token } respond with a status 200.

If I'll consume these calls from a server side application I could obtain the token from POST https://myapi.auth0.com/oauth/token passing client_id, client_secret, grant_type and audience . But since the application is client-side I think there's a best approach, avoiding to expose client_secret and so on.

I tried the implicit-grant approach but I am dealing with the callback_uri and other confusing stuff.

The main idea is to allow the Application , say https//myapp.com/list to consume the API like GET https://myapi.com/api/items (without users, without passwords).

The points:

• how to Authenticate the Application without users
• which and where make the call to oAuth2 in my Application? ( onEnter the top level route, on componentDidMount ?) and
• how the token is in the response

Answer 1

Since I asked this question in the Auth0 Community I think could be useful for other to share the answer .

For my usecase, the mos important part is

You reached the right conclusions; the use of the token endpoint either for client credentials grants or resource owner password grant (ROPC) is not recommended for a SPA [...] This means that if you want a SPA to access an API without the notion of a user, then that API needs to be public.

So, in my case I'll make the API public or think in some user/password implementation.