3

I'd like to create an application using Angular2 as frontend and the new ASPNET 5 WebApi as backend, but when it comes to authentication/authorisation I feel I'm totally missing the point despite all the reading...

Ideally I'd like to authenticate users using an identity provider such as Google or Facebook using Hello.js, I don't really want to have any sort of local registration for users. And then I'd also like to use an ASPNET 5 WebApi backend to access my database.

This article describes exactly what I want, but not with an ASPNET 5 WebApi backend: https://ole.michelsen.dk/blog/social-signin-spa-jwt-server.html

I'm not sure I understand the process right: After receiving an access token from the identity provider, the SPA should send/forward it to the backend for verification. The WebApi backend should validate it against the provider (at least the first time), and create its own token (JWT) to be sent to the SPA. The SPA simply stores it (local store or session store) and the result is that the user is logged into my application.

Is this correct? Is what I want to achieve possible?

I've looked into other options such as OpenIddict, IdentityServer3/4 but as I understand it, I'd be creating my own identity provider using those, and it's not really what I need. Am I misunderstanding?

Thanks.

Seb
  • 778
  • 1
  • 9
  • 27

2 Answers2

3

As far as i understand, you want:

  • Authentication with google(you don’t want to use google access token for using google resources)

  • Authorization with jwt token for web api backend.

So, you need Identity Server3/4, OpenIddict or writing own implementation for creating jwt token. There is similar question with good answers(especially @Tseng’s answer).

For managing jwt token in client side(angular2), see below links:

https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/

https://damienbod.com/2016/03/02/angular2-openid-connect-implicit-flow-with-identityserver4/

Community
  • 1
  • 1
adem caglin
  • 22,700
  • 10
  • 58
  • 78
  • 1
    Thanks Adem, just to clarify, why do I need OpenIddict or IdentityServer3/4 for creating JWT's? There seems to be a few examples out there to create tokens in plain C# using the Microsoft JSON Web Token Handler? – Seb Apr 19 '16 at 06:49
  • Of course, you can use own implementation. If you choose this, take a look at http://stackoverflow.com/questions/30546542/token-based-authentication-in-asp-net-5-vnext-refreshed – adem caglin Apr 19 '16 at 08:50
  • @Seb for more details about why creating your own authorization server instead of directly accepting third-party access tokens (e.g Facebook tokens) is usually recommended, you can read this other SO thread: http://stackoverflow.com/a/33148160/542757. – Kévin Chalet Apr 19 '16 at 12:15
  • @Pinpoint thanks, I understand simply accepting a third party token is wrong, but is adding an extra authorization server really necessary? What if my WebApi backend receives the third party token, validates it against the right authority to make sure it's still valid, and then generate its own token (JWT) that it sends to the SPA which will in turn send it back with every request? Is that wrong? – Seb Apr 19 '16 at 14:02
  • @Seb well no, it's not wrong since it's basically what a custom authorization server would do (except the flow you're describing is not a standard OAuth2/OpenID Connect flow). – Kévin Chalet Apr 19 '16 at 14:04
  • Aha! Here's my answer :) So basically, going the way I described is simply not OAuth'ish, but it'd work right? It's just that I want to create the application as a SPA and ideally I'd like to have the full login/registration process to be without 1 single refresh or redirect, which I think is currently not possible with OpenIddict and Identity Server3/4? And therefore thought of using Hello.js to take care of the social stuff through a pop up... – Seb Apr 19 '16 at 14:14
  • Yes, it would work. But you'd have to be extremely careful when implementing this kind of routine, to avoid the "confused deputy attacks" mentioned in the other SO thread. Note that handling "the social stuff" through a popup is definitely possible with OpenIddict (I'll publish a sample soon). It should also work with IdSrv (I'd be extremely surprised if it was not true). – Kévin Chalet Apr 19 '16 at 21:36
  • An example with OpenIddict would be awesome @Pinpoint, thanks! :) – Seb Apr 20 '16 at 13:26
0

There is an easy answer here. Use https://auth0.com/ It's free on a small scale and all the details are handled for you. Good samples and good open source participant. No affiliation, just a fan.

jeff
  • 3,269
  • 3
  • 28
  • 45
  • 1
    Thanks, I've played with Auth0 too and managed to add authentication to an Angular2 app, but I'm really trying to limit dependencies to external services as a learning exercise :) – Seb Apr 18 '16 at 21:27