Questions:
- Is it safe to rely on the default ASP.NET Identity cookies & anti-forgery mechanisms for an Angular app with ASP.Net Core API?
- In simple deployment scenarios are there tangible benefits to having standard ASP.NET Identity generate bearer tokens (JWTs) instead? If so, what's the best way to manage their expiration?
- Is OIDC any more secure than ASP.NET Identity for an SPA app?
I.e. would it be safer to use IdentityServer?
Background:
I'm building an Angular app with ASP.Net Core API that I'd like to secure using modern best practices. I want users to be able to login via OIDC, but I don't need an OIDC server to manage access to multiple apps/services (it's only one application.) I'd like the simplest possible, secure solution.
I understand I could write code in the SPA app to initiate OIDC against each of the providers I want to support, but it seems simpler to use the external provider support built in to ASP.Net Identity. Once authenticated, it's not clear to me how an the app should keep a login token/session secure against XSS and CSRF.
ASP.Net Identity uses cookies and anti-forgery tokens by default. Is that suitable for an JavaScript app? The built-in Angular support for XSRF and this csrf tutorial seem to suggest it's a standard practice. The cookies are vulnerable to XSS, but CSP & Angular can help alleviate that.
IdentityServer authors suggest OIDC access tokens should be stored in sessionStorage in conjunction with CSP. (Blogged here & questioned here.) However those tokens are usually short-lived so I suspect have different trade-offs. It's my understanding that refreshing an OIDC access token is likely to use a session cookie to access the OIDC server anyway, is that true?
Why do IdentityServer & JWTs seem so much more popular than ASP.Net Identity? Do people truly need the benefits of an STS or tokens to support mobile apps, or is it just technically interesting?
Additional Considerations:
- If I wanted to divide the identity vs data APIs into separate ASP.Net Core projects (but still deploy them on the same domain/server) would that change the answer to the questions above?
- Does OIDC offer any other benefits? (Given that I only have one API.) Is sign-out easier/better?
- Similar question with no consideration for SPAs
- Similar question with no consideration of OIDC
