Fast API Backend + Vite React SPA frontend
I am confused if I should be creating 2 applications or 1 application for this setup.
Basically I want to authenticate the user and send them an opaque token via cookie and use that for all of the auth downstream. I am not thinking of AuthZ, for AuthZ i think i'll need to reachout to something like casbin as zitadel AuthZ seems more around zitadel specific resources and not application specific things as per say. But AuthZ is another story.
This thread talks about it: https://discord.com/channels/927474939156643850/1307108134619451453/1307108134619451453
But It's not clear whether I should create 2 applications here. 1 for API and another for SPA?
this is roughtly my arch, i want to protect my api endpoints via the session token but I don't want to introduce API access to it yet(i.e only access via session tokens etc)
What am I missing?
6 Replies
I dont think I want to use OIDC, just simple session cookies.
There's this but doesn't cover my usecase i think: https://zitadel.com/docs/sdk-examples/python-flask
and I am have a pretty common usecase so I might be missing somethineg
ZITADEL Docs
Flask is a lightweight and easy-to-use microframework for Python web development.
also I plan to do both user email signup and social login so what shall be the flow there.
checking https://github.com/zitadel/example-api-python3-flask now
GitHub
GitHub - zitadel/example-api-python3-flask: Example Python3 + Flask...
Example Python3 + Flask API for authentication and authorization with ZITADEL - GitHub - zitadel/example-api-python3-flask: Example Python3 + Flask API for authentication and authorization with ZI...
but this is simply protecting the UI, does not involve User flows
and I am not sure why do we need framework specific SDKs.
language specific SDKs should be enough for this auth usecase right? since zitadel as a service handles the heavy bits. I am confused
ZITADEL Docs
This guide contains a use case and ZITADEL integration.
I basically want the above but with opaque cookie based token, i'd expect zitadel to handle the session state for me once the user logins via social auth. is this not something zitadel does?
Hi @tyx , thanks for reaching out! Based on what you mentioned:
I am confused if I should be creating 2 applications or 1 application for this setup.... I want to protect my api endpoints via the session token but I don't want to introduce API access to it yetFrom your description, you need to create one application in ZITADEL, to represent your frontend application (SPA). You can check our frontend examples here. For your backend, since you have an API that behaves as an OAuth resource server that can be accessed by user-facing applications, you will need to validate access tokens by calling the ZITADEL introspection endpoint, so you will need to also create an API in ZITADEL. I hope this helps! Please let me know if this answers your question by marking this message with a ✅ or let me know if you have any other doubts!