Security and OpenId Connect Flows with ASP.Net Core 2.1 and React

Question

I'm currently in the process of implementing security on my ASP.Net Core 2.1 React/Redux app and I've been following the Js Client quickstart as well as the other Identity Server quickstarts. I've also been reading up on the concepts mentioned in Identity Server 4 + Identity Framework + React Front End and following the pluralsight course Securing ASP.NET Core 2 with OAuth2 and OpenID Connect which goes into oidc in the context of IDS4 a bit deeper.

During this pluralsight course the author goes into OpenId Connect flows (here if you have access) and from what I gather I'll need to use the Hybrid flow for Confidential clients and long-lived access through refresh tokens due to roject requirements but the author discusses potential security flaws this would introduce on the client-side. The reason being I would require a clientsecret, and a JavaScript app can't safely store one as it's a public client.

So here's my confusion, my client side app is built using VS2017's project template for creating an ASP.Net Core app with React and Redux - so is it still a Javascript App? This Web App will login through a single Identity Management Source (IDS4) and will need to grant the client access to the web project (React +.NET Core) as well as the WebApi (through controllers on the web project), so is there a way to SECURELY use the Hybrid flow to achieve this?

NOTE - the index page rendered by the ASP.NET side of the client is an html file, would it be more secure if this were rendered as .cshtml with security on this root page? What's the best practice here for security?

Security and OpenId Connect Flows with ASP.Net Core 2.1 and React

Answers (1)

Related Questions