Reputation: 1877
Can we secure a dotnet core 2.0 React App with only aspnet identity?
I am building a SPA using React and Redux on top of dotnet core 2.0. Unfortunately, the vs2017 template for this does not include Authentication/Authorization.
In looking around, I saw many people talking about the use of JWT's and suggesting things like Identity Server or OpenIddict to handle this, but I have only ever used ASP.NET identity to handle security before.
My question is, is it possible to secure a react app by using ASP.NET identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
Upvotes: 21
Views: 2874
Answers (2)
Reputation: 207
If you are going to have React and API in one domain, and the SPA would be the only client of API it may be recommended to use cookie based authentication with SameSite Cookies.
- https://www.scottbrady91.com/OAuth/Cheat-Sheet-OAuth-for-Browser-Based-Applications
- https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/ (section same-domain apps)
- longer post: https://blog.cdivilly.com/2020/06/10/oauth-browser-apps
Upvotes: 0
Reputation: 591
I will try to answer by your questions.
Q.1. Is it possible to secure a react app by using aspnet identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?
Q.2. Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?
Answer To First Question(this question technically related to difference between cookie based and token based authentication approach.)
Cookie based authentication system
- cookie based session is StateFull. as here server needs track of active session,while on front end/client end a cookie is created that holds a session identifier.
- you can secure your web api using cookie based authentication system. but in a very limited scope, because ,cookie based system doesn't work well, on native clients or suppose if your web api is going to be consumed by some other web api,
Token based authentication system
it is StateLess as server doesn't keep here the track of which token are issued or which users are log in.
Here server needs to verify only the validity of the token. so token based approach is more decupled than cokie based.
Sources
- https://auth0.com/blog/cookies-vs-tokens-definitive-guide/
- Update Above(Auth0) link not working any more Updated Link
- https://learn.microsoft.com/en-us/dotnet/standard/microservices-architecture/secure-net-microservices-web-applications/
Answer To Second Question
Yes you can implement cookie based authentication in spa by using OWIN Cookie Authentication middileware .
you can find more information regarding it on following link.
Hope above will help.
Upvotes: 6
Related Questions
- Why 401 unauthorized happen, although CORS is used?
- Authorization and authentication in web application with ASP.NET Core backend and React frontend?
- Identity Server 4 + Identity Framework + React front-end
- .Net Core 2.1 with IdentityServer4 Cookie and API JWT based authentication for the same app
- IdentityServer4 implementation with React SPA and Asp.net Core backend
- Authentication in .net Core with ReactJS SPA
- Add Authorization to AspNet Core 3.0-preview React project (with Authentication)
- How to protect Asp.net core 2.1 and Vue.js single page application with Identity Server 4
- Security and OpenId Connect Flows with ASP.Net Core 2.1 and React
- Want to add Hybrid Flow Authentication to the (dotnet) backend of a SPA