Basic registration workflow for mobile and SPA
-
Hello, I'm new at FusionAuth, and at auth as a service in general. I have a doubt regarding my app users registration workflow.
My plan is to have a mobile app which needs to communicate to a backend API to retrieve data. I want that backend API to not have any /auth endpoint, instead it expects to receive a JWT token signed by a trusted server, FusionAuth. Also, I don't want to use FusionAuth UI for logging or signing in users, so I was planning to use FusionAuth API.
I think I get the logging workflow with the /api/login endpoint, what I don't fully understand is how should I register a new user from my mobile app. I will use email/password registration at least at the beginning.
From what I understand, I should generate an API key authorized to make requests at /api/user/register and from there register my users when they fill the form in my mobile app, but that endpoint receive extra fields like for example "roles", so if somebody extracts the API key from my app and calls the register endpoint wouldn't him be able to register as for example an admin ?
The let me to think that I should send my auth request to my backend server, and then it forwards the request to FusionAuth in a secure way, but then again, I was expecting my backend to not perform any action related to authentication at all. I can change my expectations of course, but I want to know if my reasoning is correct or how the registration workflow is suppose to work.
-
@nicolasalevera98 You are right on in that you do not want to send your API key down to the client. If you do that, they will have access to your system. In order to make a call to the APIs you will have to have to secure it on your server and then have the client call the server which has access to the API Key. Now if you enabled the something like the authorization code grant where the user logs in, then they would be able to use their username and password to access the APIs directly.
