Skip to content

High Level concepts

High Level concepts

Auth0 uses two core concepts : Applications and APIs

Applications can be BDRC custom applications and auth0 applications (including some auth0 extensions).

Each application has a unique pair of ClientID/ClientSecret parameters, along with callbackUrl, application type, authentication method, logo, etc…

Moreover, each application defines allowed grant types, available APIs endpoints and Oauth settings (mainly OIDC conformance and token signature algorithm).

The list of all applications is available here.

APIs

APIs are used (or consumed) by authorized applications. APIs have a unique id and a unique identifier (elsewhere referred to as audience).

Each API specifies its signing algorithm and tokens timeout values. An example can be found here where we define the authorized applications for the auth0-authorization-extension -api.

Example 1 of apps and Apis usage : Getting an Api object and a token for a specific user and application:

This code illustrates two ways to get a token

1) For using the Auth0 API object

2) For a client app to login to the Auth API in order to get a token: this token can then be used to interract with the Auth API

Requesting a token for using the Auth API

HttpClient client=HttpClientBuilder.create().build();

HttpPost post=new HttpPost("https://bdrc-io.auth0.com/oauth/token");

HashMap<String,String> json = new HashMap<>(); json.put("grant_type","client_credentials"); json.put("client_id",AuthProps.getProperty("lds-pdiClientID")); json.put("client_secret",AuthProps.getProperty("lds-pdiClientSecret")); json.put("audience","https://bdrc-io.auth0.com/api/v2/");
ObjectMapper mapper=new ObjectMapper();

String post_data=mapper.writer().writeValueAsString(json);

StringEntity se = new StringEntity(post_data);

se.setContentType(new BasicHeader(HTTP.CONTENT_TYPE, "application/json"));

post.setEntity(se);

HttpResponse response = client.execute(post);

OR (Login in a specific user using a AuthAPI object)

AuthAPI auth=new AuthAPI( "bdrc-io.auth0.com", AuthProps.getProperty("lds-pdiClientID"), AuthProps.getProperty("lds-pdiClientSecret"));

AuthRequest req=auth.login("privateuser@bdrc.com", "privateuser"); req.setScope("openid offline_access");
req.setAudience("https://bdrc-io.auth0.com/api/v2/");
String token = req.execute().getIdToken();

Note that audience must (obviously) be the same in both requests : it determines the main API we are getting tokens from.

Example 2 of apps and Apis usage (getting an Api object then ask for all the groups of users):

HttpClient client=HttpClientBuilder.create().build();

HttpPost post=new HttpPost("https://bdrc-io.auth0.com/oauth/token"); HashMap<String,String> json = new HashMap<>(); json.put("grant_type","client_credentials"); json.put("client_id",AuthProps.getProperty("lds-pdiClientID")); json.put("client_secret",AuthProps.getProperty("lds-pdiClientSecret")); json.put("audience","urn:auth0-authz-api");

Here, the ldspdi application is requesting a token for accessing the auth0 extension API. The audience request parameter specifies the API ldspdi wants to use. Once we get the token, we can query the API endpoint:

HttpClient client=HttpClientBuilder.create().build();

HttpGet get=new HttpGet("https://bdrc-io.us.webtask.io/adf6e2f2b84784b57522e3b19dfc9201/api/groups"); get.addHeader("Authorization", "Bearer "+token);