Single-Page Applications

Overview

JavaScript applications running in a browser are often hard to secure due to the open nature of the Web. Secure storage is nonexistent, and everything is in clear text (for HTTP version 1.1). Here's a quote from the Azure Active Directory team that summarizes the state of authentication with single-page applications:

The OAuth2 implicit grant is notorious for being the grant with the longest list of security concerns in the OAuth2 specification. And yet, that is the approach implemented by ADAL JS and the one we recommend when writing SPA applications. What gives? It’s all a matter of tradeoffs: and as it turns out, the implicit grant is the best approach you can pursue for applications that consume a Web API via JavaScript from a browser.

(Source: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant)

It's therefore important that you make all of the necessary checks to verify the validity of your requests and the responses.

This section provides instructions on how to configure Auth0 with a single-page application (SPA) so that users can authenticate through it and make requests to the WorkflowGen GraphQL API. This configuration is done in three steps: registering your SPA, granting access to the API, and setting some redirect URLs.

Prerequisites

  • Make sure to have a licensed copy of WorkflowGen installed and running on a server.

  • Make sure to have administrative access to Auth0 to be able to configure it properly.

  • Make sure to have provisioned an existing Auth0 user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

  • Make sure to have successfully configured delegated authentication to Auth0 on your WorkflowGen instance following the instructions in the Auth0 authentication section.

Auth0 configuration

Step 1: Register a new web application

  1. In the Auth0 portal, click Create Application in the Applications section.

  2. Fill in the form:

    • Name: Your SPA name

    • Type: Single Page Web Applications

  3. Click Create at the bottom of the page.

You should now be on the registered application page.

Step 2: Add redirect URLs

  1. On the Settings tab, scroll down to the Allowed Callback URLs section and add your application's login callback URL (for example, https://localhost/login/callback).

  2. If you support logout from Auth0, scroll down to the Allowed Logout URLs section and add your post logout redirect URL (for example, https://localhost/logout/return).

Review the registration

  • You need a client ID, which can be found on the application page's Settings tab.

  • You need your Auth0 domain name, which can be found next to your Auth0 profile picture in the top right corner of the portal.

Your application should now be successfully linked to the Auth0 infrastructure and users can login through it. If you have met the prerequisites, your application will receive an access token that it can send to the WorkflowGen GraphQL API to make authorized requests as a Bearer token via the Authorization header.