Comments (4)
Hi,
These days, there are basically two different approaches to implement the scenario you described:
-
By using OIDC authentication between your WASM app and the server app. In this case, you can simply rely on the built-in Blazor WASM authentication stack, which is based on the
oidc-client
library. While that library is now deprecated (Microsoft doesn't seem to be eager to fix that...), it should work fine for most scenarios. For a demo, take a look at the Balosar sample: https://github.com/openiddict/openiddict-samples/tree/dev/samples/Balosar -
By using cookie authentication between your WASM app and the server app, which we typically refer to as "the BFF - or backend-for-frontend pattern". For a demo, you can take a look at the Dantooine sample in the samples repo: https://github.com/openiddict/openiddict-samples/tree/dev/samples/Dantooine
Some people prefer the BFF approach and some prefer the first one. If you're looking for something easier to implement, the first option is probably the best one.
From what I understand, Authorization code flow + PKCE would be the best way to meet my needs. But that means I'll have to develop the login page on the server side, on my web api? In other words, my front blazor would simply redirect to the authorize endpoint of the api, which itself would display a login page, where the user would enter his credentials.
Yes, that's exactly how it would work.
How can I integrate google, twitter etc. connections into this scheme?
Assuming you're using the default Identity UI, it's very easy to do by adding the necessary configuring to your server app project. I updated the Balosar sample for you to demonstrate how to do that with GitHub but it will work with any other supported provider, Twitter included: openiddict/openiddict-samples#268.
How would the refresh token be managed?
When using the built-in Blazor WASM authentication stack, it's handled transparently for you under the hood by Blazor.
Is it good practice to develop a login form on my web api ? Because I would like to only have one project, i can't host a Resource Server and an additonal Authorization server, so they have to be in the same project
Yeah, with OpenIddict, it's perfectly fine to have both your API and your authorization server (login page included) in the same app.
Hope it helped 😃
from openiddict-core.
Hi 😁
First of all, Thank you for your reply, it helps me.
I thought that to use the BFF, the WASM blazor had to be hosted, whereas in my case it's a standalone application.
Anyway, I think i'll go for the first case.
I've started integrating open iddict into my API, adding the code flow + pkce authorization protocol.
But rather than adding a classic razor page for login, I'm adding a razor server-side-rendered component, following this guide: https://learn.microsoft.com/en-us/aspnet/core/blazor/components/integration?view=aspnetcore-8.0#add-static-server-side-rendering-static-ssr since I'm used to working with blazor. Since the component will be in server-side-rendering mode, there's no security problem, is there?
Finally, you say that the blazor wasm authentication library is deprecated. Are you talking about this one? https://learn.microsoft.com/fr-fr/aspnet/core/blazor/security/webassembly/?view=aspnetcore-8.0
Because it's the one I was going to implement.
It could look like this :
Can I have your opinion about this ?
Otherwise, thanks again for updating Balosar, I'm leaning on it, and thanks also for your work, it's an excellent library and it helps demystify authentication 😁
from openiddict-core.
Hey,
I thought that to use the BFF, the WASM blazor had to be hosted, whereas in my case it's a standalone application.
Yeah, if your authorization server and your Blazor app as served from different domains, using cookies is indeed impractical 😄
But rather than adding a classic razor page for login, I'm adding a razor server-side-rendered component, following this guide: https://learn.microsoft.com/en-us/aspnet/core/blazor/components/integration?view=aspnetcore-8.0#add-static-server-side-rendering-static-ssr since I'm used to working with blazor. Since the component will be in server-side-rendering mode, there's no security problem, is there?
I'm not super familiar with SSR applied to Blazor, but I don't see why it should matter (the threat model should be roughly the same as a good old web app).
Finally, you say that the blazor wasm authentication library is deprecated. Are you talking about this one? https://learn.microsoft.com/fr-fr/aspnet/core/blazor/security/webassembly/?view=aspnetcore-8.0
Yes: the .NET wrapper itself is not deprecated but the underlying JS lib is no longer supported since 2021 (https://github.com/IdentityModel/oidc-client-js). That said, if a critical bug/security issue was found, I guess Microsoft would fork it and fix themselves, so it's probably not a deal breaker for most apps.
Because it's the one I was going to implement.
Well, you sadly don't have tons of options: yes it relies on a no longer supported lib, but it's your best option, so... 😄
Otherwise, thanks again for updating Balosar, I'm leaning on it, and thanks also for your work, it's an excellent library and it helps demystify authentication 😁
Thanks for your kind words! Glad you like the project 😄
from openiddict-core.
I Managed to do what I wanted to do, following Balosar principles, but with Blazor SSR components instead of Razor Pages 🙂 (So, without the DefaultIdentityUI)
I added a postman with code flow + pkce settings client to test, and everything seems to be ok.
I think my API is now more secure, and it's gonna be more easy to add an external provider now !
I'm going to close this ticket, thanks again and have a good day ;)
from openiddict-core.
Related Issues (20)
- Use TimeProvider HOT 3
- Empty string reading Httpcontext body from x-www-form-urlencoded POST HOT 4
- Revoked token is still valid for `UseLocalServer()` configuration HOT 4
- Calling AuthenticateInteractivelyAsync from api server in windows installed app HOT 9
- Calling OpenIdDict identity server from a .Net Framework 4.8 client HOT 23
- Multi-tier deployment: reverse-proxy support? HOT 8
- For testing purposes how to create a fake web provider that returns tokens from fake identity? HOT 1
- ApplicationID and AuhtorizationId in Tokens HOT 3
- Use shorter pipe names on iOS/macOS/Mac Catalyst
- Net framework 4.8 MVC authentication troubles HOT 13
- TokenDecryption key missing for UserInfo token HOT 1
- Inject role when token is validated HOT 3
- Microsoft web provider - error with SPA / PKCE app registration HOT 3
- The payload data in the screenshot appears to be in a binary or encoded format that isn't directly readable. HOT 2
- Possible bug: ClientId and Scope Name are not unique HOT 3
- Dantooine (BFF) - Checking Access Token Expiration HOT 2
- Client credential login does not work if a proxy is used HOT 4
- Multiple Project Introspections
- Productive Introspect (Resources) HOT 1
- Update OpenIddict.Client.SystemIntegration to use the new ASWebAuthenticationSessionCallback API
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openiddict-core.