I'm confused about the role of an "API" (Auth0 term) and audience.
I have a single page Vue app, with a Node/Express backend.
In Auth0, I set up an SPA application, and an API with identifier foo. The API does not have any permissions, and no applications are "authorized" for it.
In Vue, I initialise Auth0 with @auth0/auth0-vue, and pass audience: 'foo', my clientId, redirect_uri and domain.
In the backend, I use express-oauth2-jwt-bearer, and pass the audience: 'foo', the issuerBaseUrl and tokenSigningAlg.
This works. JWT credentials on incoming requests are verified.
But it's weird: I'm not doing anything else with this API that I setup. I'm making any calls with it, and I haven't done anything to link it to the SPA in Auth0.
So do I even need it?
If I remove the audience attribute from the Auth0 setup in the frontend, I can still login, but I don't know what audience to set in the backend. (express-oauth2-jwt-bearer won't initialise without one).
If I set the audience attribute to something different in the frontend (eg bar), I can no longer login. Clicking the login button redirects to http://localhost:8080/?error=access_denied&error_description=Service not found: bar&state=ekxhRnVlc0lGOTBlSGxSbWNWU1hYeDl4anFNTGN1V1YtSVpfdHVIYnBjMg==
So my questions:
- do I actually need an API set up in order to validate JWT credentials?
- if not, what can I use as the audience?
There are 2 roles of component where audience is used.
SPA CLIENT ROLE
If you include an
openidscope then you will get an ID token. The audience of this is the client ID, egmyapp. Your login related code will validate the audience of this token. Other than that you might ignore the ID token.API ROLE
The heart of OAuth 2.0 is using access tokens to get data. You should ensure that the access token has fields of this form, to restrict where the access token can be used. Setting the scope to a business area is often a good option when getting started.
The API role is the most important one. Authorization servers often use registration entries for APIs where access token settings are configured, even though the API is not a client. So use those settings to get your desired results.
The same settings can then be configured in
express-oauth2-jwt-bearer. Use that library to verify the access token in all requests from the SPA to get data.API PLATFORMS
When there are multiple related APIs, as in microservice setups, they are sometimes given the same audience to enable APIs to forward access tokens to each other. Similarly, it is possible for multiple APIs to share the same scope if they are for the same business area. The exact way it is done is up to the designer.