Best way to implement Auth for Standalone Wasm + Asp Web Api about openiddict-core HOT 4 CLOSED

Hi,

These days, there are basically two different approaches to implement the scenario you described:

• By using OIDC authentication between your WASM app and the server app. In this case, you can simply rely on the built-in Blazor WASM authentication stack, which is based on the oidc-client library. While that library is now deprecated (Microsoft doesn't seem to be eager to fix that...), it should work fine for most scenarios. For a demo, take a look at the Balosar sample: https://github.com/openiddict/openiddict-samples/tree/dev/samples/Balosar

• By using cookie authentication between your WASM app and the server app, which we typically refer to as "the BFF - or backend-for-frontend pattern". For a demo, you can take a look at the Dantooine sample in the samples repo: https://github.com/openiddict/openiddict-samples/tree/dev/samples/Dantooine

Some people prefer the BFF approach and some prefer the first one. If you're looking for something easier to implement, the first option is probably the best one.

From what I understand, Authorization code flow + PKCE would be the best way to meet my needs. But that means I'll have to develop the login page on the server side, on my web api? In other words, my front blazor would simply redirect to the authorize endpoint of the api, which itself would display a login page, where the user would enter his credentials.

Yes, that's exactly how it would work.

How can I integrate google, twitter etc. connections into this scheme?

Assuming you're using the default Identity UI, it's very easy to do by adding the necessary configuring to your server app project. I updated the Balosar sample for you to demonstrate how to do that with GitHub but it will work with any other supported provider, Twitter included: openiddict/openiddict-samples#268.

How would the refresh token be managed?

When using the built-in Blazor WASM authentication stack, it's handled transparently for you under the hood by Blazor.

Is it good practice to develop a login form on my web api ? Because I would like to only have one project, i can't host a Resource Server and an additonal Authorization server, so they have to be in the same project

Yeah, with OpenIddict, it's perfectly fine to have both your API and your authorization server (login page included) in the same app.

Hope it helped 😃

from openiddict-core.

Hi 😁

First of all, Thank you for your reply, it helps me.

I thought that to use the BFF, the WASM blazor had to be hosted, whereas in my case it's a standalone application.
Anyway, I think i'll go for the first case.

I've started integrating open iddict into my API, adding the code flow + pkce authorization protocol.

But rather than adding a classic razor page for login, I'm adding a razor server-side-rendered component, following this guide: https://learn.microsoft.com/en-us/aspnet/core/blazor/components/integration?view=aspnetcore-8.0#add-static-server-side-rendering-static-ssr since I'm used to working with blazor. Since the component will be in server-side-rendering mode, there's no security problem, is there?

Finally, you say that the blazor wasm authentication library is deprecated. Are you talking about this one? https://learn.microsoft.com/fr-fr/aspnet/core/blazor/security/webassembly/?view=aspnetcore-8.0

Because it's the one I was going to implement.

It could look like this :

Can I have your opinion about this ?

Otherwise, thanks again for updating Balosar, I'm leaning on it, and thanks also for your work, it's an excellent library and it helps demystify authentication 😁

from openiddict-core.

Hey,

I thought that to use the BFF, the WASM blazor had to be hosted, whereas in my case it's a standalone application.

Yeah, if your authorization server and your Blazor app as served from different domains, using cookies is indeed impractical 😄

But rather than adding a classic razor page for login, I'm adding a razor server-side-rendered component, following this guide: https://learn.microsoft.com/en-us/aspnet/core/blazor/components/integration?view=aspnetcore-8.0#add-static-server-side-rendering-static-ssr since I'm used to working with blazor. Since the component will be in server-side-rendering mode, there's no security problem, is there?

I'm not super familiar with SSR applied to Blazor, but I don't see why it should matter (the threat model should be roughly the same as a good old web app).

Finally, you say that the blazor wasm authentication library is deprecated. Are you talking about this one? https://learn.microsoft.com/fr-fr/aspnet/core/blazor/security/webassembly/?view=aspnetcore-8.0

Yes: the .NET wrapper itself is not deprecated but the underlying JS lib is no longer supported since 2021 (https://github.com/IdentityModel/oidc-client-js). That said, if a critical bug/security issue was found, I guess Microsoft would fork it and fix themselves, so it's probably not a deal breaker for most apps.

Because it's the one I was going to implement.

Well, you sadly don't have tons of options: yes it relies on a no longer supported lib, but it's your best option, so... 😄

Otherwise, thanks again for updating Balosar, I'm leaning on it, and thanks also for your work, it's an excellent library and it helps demystify authentication 😁

Thanks for your kind words! Glad you like the project 😄

from openiddict-core.

I Managed to do what I wanted to do, following Balosar principles, but with Blazor SSR components instead of Razor Pages 🙂 (So, without the DefaultIdentityUI)

I added a postman with code flow + pkce settings client to test, and everything seems to be ok.

I think my API is now more secure, and it's gonna be more easy to add an external provider now !

I'm going to close this ticket, thanks again and have a good day ;)

from openiddict-core.