Aspnetcore.docs: Is this OAuth or something else?

Created on 7 Mar 2019 · 20Comments · Source: dotnet/AspNetCore.Docs

I really like that IdentityServer is integrated but I do not understand what the flow is for getting an access token. This is directed at SPAs so is this the OAuth implicit flow? And if so, what are the thoughts about implicit flow no longer being advised by the OAuth working group (https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/, https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926).

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 21cb7455-3305-9316-5440-bdc22947a82d
Version Independent ID: 137d4b94-7b26-3911-b22d-42c754a95fc1
Content: Introduction to authentication for Single Page Applications on ASP.NET Core
Content Source: aspnetcore/security/authentication/identity-api-authorization.md
Product: aspnet-core
GitHub Login: @javiercn

P1 PU Source - Docs.ms

Source

rwwilden

Most helpful comment

I made a blog about choosing the best flow for this type of app. Maybe you could update the docs with something like this

https://damienbod.com/2019/04/02/securing-browser-based-javascript-typescript-applications/

damienbod on 7 Apr 2019

👍2 ❤1

All 20 comments

Hello! Thanks for contacting us. This sounds like a general question about using ASP.NET Core. While we try to look at and respond to all issues, for questions like this we recommend posting to a community support group like Stack Overflow with the asp.net-core tag.

Rick-Anderson on 7 Mar 2019

@rwwilden @Rick-Anderson Looks like this example is using the OIDC implicit flow which is no longer recommended. The js lib used here also supports the 'code' flow. Maybe you could consider updating this.

damienbod on 8 Mar 2019

👍1

@Rick-Anderson this was _not_ a general question about ASP.NET Core but a specific question on the type of OAuth flow that is used to authorize users in the article. It seems that implicit flow is used.

The next question then is what @damienbod also says: the OIDC implicit flow is no longer recommended so maybe it's a good idea to use authorization code flow with PKCE.

rwwilden on 8 Mar 2019

@Tratcher please review

Rick-Anderson on 8 Mar 2019

This is me, not @Tratcher

javiercn on 8 Mar 2019

No actually. It's identity server.

Tratcher on 9 Mar 2019

No, it’s me. It’s a question about our support.

javiercn on 9 Mar 2019

@javiercn yes the template is using 'token id_token'. If you switched to code with PKCE, this would not be much effort and a better solution. (silent renew as it is, not refresh tokens)

It should also be mentioned that cookies are a good solution when using same domain for API and UI.

Greetings Damien

damienbod on 9 Mar 2019

👍3

Sorry @javiercn, I'd read that wrong on my phone. I thought you had assigned it to me.

Tratcher on 19 Mar 2019

I made a blog about choosing the best flow for this type of app. Maybe you could update the docs with something like this

https://damienbod.com/2019/04/02/securing-browser-based-javascript-typescript-applications/

damienbod on 7 Apr 2019

👍2 ❤1

Unable to run the command
dotnet new angular -o FooBarProj -au Individual

Invalid input switch:
-auth
Individual

BDTomasz on 12 May 2019

😕1

@BDTomasz
Open an issue at https://github.com/dotnet/cli
report your version

Rick-Anderson on 13 May 2019

When will the documentation be updated for recommended approach to authentication for SPAs?

SidShetye on 9 Jul 2019

@damienbod I have seen you comments, which reflect that implicit flow is not recommended, it would be great if you can create an example of this based on the example above, if it's not too much effort to extend it.. that would be a great help. Also if we can get an example of accessing the user claims etc on the server that would be a bonus...
This is a great example, but could be much better with these things included.

brightertools on 26 Jul 2019

We moved to code+pkce as of preview8

javiercn on 26 Jul 2019

👍2

@javiercn : ok great, I think I am looking at preview6 and now see a preview7, do I need to wait for preview8?

brightertools on 26 Jul 2019

Yes.

javiercn on 26 Jul 2019

👍1

@javiercn - could you please link to the work-item issue for the code+pkce changes?

SidShetye on 29 Jul 2019

7bf660947baf8966cd65ae6a3708cf283576dc25

javiercn on 29 Jul 2019

https://github.com/aspnet/AspNetCore/commit/7bf660947baf8966cd65ae6a3708cf283576dc25

javiercn on 29 Jul 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Work-around for not asking password reset

Raghumu · 3Comments

UseStatusCodePagesWithRedirects doesn't work

sonichanxiao · 3Comments

AddClaimAsync failed with SqlException: Cannot insert the value NULL into column 'Id', table 'dbo.AspNetUserClaims'; column does not allow nulls

Rick-Anderson · 3Comments

Swashbuckle Asp.Net core section 'Customize the UI' instructions do not work

Mattacks · 3Comments

Document usage of ProducesResponseTypeAttribute

Rick-Anderson · 3Comments