SPA + API
In this scenario you have a Single Page Web Application ("Client") which talks to an API ("Resource Server"). The application will use OpenID Connect with the Implicit Grant Flow to authenticate users with Auth0. Note that this flow can only be used for Clients whose type is Single Page Application in the Dashboard.
When a user logs in, Auth0 will return to the application an
access_token and an
id_token. In case the
response_type value used is
id_token then only an
id_token will be returned.
access_tokenis used to securely call the API on behalf of the user.
id_tokenis consumed only by the client and contains user profile data. Alternatively the user profile can be obtained by calling the
/userinfoendpoint in the Auth0 Authentication API with the
access_token. In order for this to work
openidshould be granted as a scope and the API, for which the
access_tokenis issued, should use
RS256as signing algorithm.
The application will usually store the information about the user's session (i.e. whether they are logged in, their tokens, user profile data, and so forth) inside some sort of storage such a Local Storage.
The following is a list of articles on this website which will help you to implement this scenario: