Reputation: 1340
Implementing OAuth2/OIDC for VueJS SPA and asp.net core 3.1
- Vue front-end for
SPAandasp.net core 3.1as backend for API - Using
Microsoft.AspNetCore.SpaServices.Extensionsnuget package so, among others, SPA files will be served from a folder (wwwroot/dist) when users access .net core - Back end API controller is decorated with
[Authorize]attribute - SPA router has authguards so protected routes are only available to authenticated users
- SPA will use
Axiosand pass a bearer token to the back end API
I want to implement OAuth2/Oidc authorization code with pkce using the identityserver4 hosted on another system.
A request for the landing page should forward the user to identityserver4 for the login/password prompt and redirect back after completing all the steps with a token.
Ideally I want the .net core handle all the oauth/oidc steps and don't want to deal with it using oidc-client javascript client in SPA. Any suggestion on how I can accomplish this? Thanks
Upvotes: 0
Views: 2559
Answers (1)
Reputation: 29291
Well there are two standard models here and you need to choose one of them, depending on factors you care most about:
OPTION 1: SPA SCENARIO
- The SPA is the OAuth client and authenticates via Javascript tech
- The API is the OAuth resource server
It is not standard for a resource server to handle the authentication flow for a client - instead a client should authenticate, then call the resource server.
OPTION 2: WEB BACK END SCENARIO
People most commonly choose this option when they want to keep tokens out of the browser's Javascript code:
- A Web Back End in C# is the OAuth client
- The Web Back End needs to securely communicate with the browser and has to use an auth cookie for this
- To call an API the browser needs to either send the cookie to the web back end to get a token, or double hop all API calls via the web back end
ABOUT OIDC CLIENT
Personally I prefer option 1, which I think is closer to overall SPA Goals, such as cross domain hosting and use of content delivery networks. OIDC Client can actually lead to a fairly simple SPA security implementation, as in this Client Side Implementation of mine.
Upvotes: 0
Related Questions
- OIDC client support for multi tenant - oidc-client throws "no matching state found in storage"
- How to properly use 0Auth with a Vue SPA without leaking sourcecode?
- Vuex-OIDC on the dev server
- What’s the right OIDC flow for Vue SPA with .Net 5 WebAPI?
- Need Assistance in integrating OAuth in VueJS App
- How to implement OIDC using vuex-oidc in vue.js
- OpenId Connect library from Vue app to OpenId provider
- What is the correct way to do SPA Authentication with ASP.NET Core 3?
- authentication with vue spa
- InvalidOperationException when signing in to IdentityServer4 via oidc-client