I have a SPA in React that make calls to an external API like: GET https://myapi.com/api/items/1 or GET https://myapi.com/api/items/.
In myapi.com server, the routes are secured with oAuth2 using express-jwt and auth0-api-jwt-rsa-validation, son only calls with Header: { Authorization: 'bearer ' + token } respond with a status 200.
If I'll consume these calls from a server side application I could obtain the token from POST https://myapi.auth0.com/oauth/token passing client_id, client_secret, grant_type and audience. But since the application is client-side I think there's a best approach, avoiding to expose client_secret and so on.
I tried the implicit-grant approach but I am dealing with the callback_uri and other confusing stuff.
The main idea is to allow the Application, say https//myapp.com/list to consume the API like GET https://myapi.com/api/items (without users, without passwords).
via Lionel T
No comments:
Post a Comment