Reputation: 932
How to handle authorization and authentication on SPA with OAuth2?
I am developing an SPA and would like to have SSO.
As I understood so far, OAuth2 with OIDC is the best solution for SPA SSO.
Better than, for example, SAML.
What I didn't understand so far is how to use authorization token in SPA's JS code to handle authorization on various resources of SPA. For example, I would like the users with a role 'buyer' to have access to the shopping history tab, where other users won't have access to.
Should I parse access token obtained from Authorization server in JS code and check whether a user has an appropriate role to see the tab, or should this decision be made on server (API) side, in which case SPA's code would just read the answer from API and based on that customize UI?
In case of the first approach, is there any standard way of doing the checking (in form of some JS library)?
When it comes to authentication, what is the better approach (more secure, etc):
- to let SPA (at that point already loaded in the browser) do the authentication flow and based on result let the user use it's protected functionalities. This is pseudo authentication actually since the code is in the user's browser and means the user is authenticating himself to the code in his hands i.e. to himself. Does this authentication make sense at all?
- require the user to authenticate himself in order to be able to even load the SPA in his browser. This is probably not SPA architecture then since backend which serves the SPA should be able to create a backchannel with the Authentication server.
Upvotes: 1
Views: 745
Answers (2)
Reputation: 13059
According to user description, your application must vary depending on user type. If this is the case I would suggest you to use a backend for authentication and decide application content to be served from the backend. Otherwise, as you have figured out, running authentication on browser and altering user view is not secure.
IMO this not necessarily break SPA architecture. What you are doing is altering what you server based on tokens presented to you. Also, maintaining a session will be required with this approach. And SPA's calls for backend will require to contain this session to obtain contents.
Upvotes: 1
Reputation: 3217
As soon as the User is logged in, you would request for authentication and based on his UserId, and the role he belongs to you should receive all the permissions that User is entitled to.
You convert these permissions into claims and can send them back to UI and use it appropriately to show the features accordingly.
You also enforce same on the server side api to prevent any unauthorized access besides from your UI.
Upvotes: 0
Related Questions
- How to authenticate SPA users using oAuth2?
- OAuth/OIDC - How To Manage SPA Web App Component Visibility
- How to perform user registration and authentication between a single page application and a REST API with OpenID Connect
- Sign-up/Sign-in between SPA and a REST API with OpenID Connect
- Single Auth model for SPA+API Server and Traditional Web Application (OIDC way)
- Should the ID Token or Access Token be used to authorize SPA functionality?
- OAuth2 for REST API with tightly coupled SPA as only client
- OIDC Session Management in a SPA (Single-Sign-Out)
- Using openid-connect for authentication spa and rest api
- OpenId Connect, SSO and SPA