3

I'd like to create an application using Angular2 as frontend and the new ASPNET 5 WebApi as backend, but when it comes to authentication/authorisation I feel I'm totally missing the point despite all the reading...

Ideally I'd like to authenticate users using an identity provider such as Google or Facebook using Hello.js, I don't really want to have any sort of local registration for users. And then I'd also like to use an ASPNET 5 WebApi backend to access my database.

This article describes exactly what I want, but not with an ASPNET 5 WebApi backend: https://ole.michelsen.dk/blog/social-signin-spa-jwt-server.html

I'm not sure I understand the process right: After receiving an access token from the identity provider, the SPA should send/forward it to the backend for verification. The WebApi backend should validate it against the provider (at least the first time), and create its own token (JWT) to be sent to the SPA. The SPA simply stores it (local store or session store) and the result is that the user is logged into my application.

Is this correct? Is what I want to achieve possible?

I've looked into other options such as OpenIddict, IdentityServer3/4 but as I understand it, I'd be creating my own identity provider using those, and it's not really what I need. Am I misunderstanding?

Thanks.

Improve this question

2 Answers 2

Reset to default
3

As far as i understand, you want:

  • Authentication with google(you don’t want to use google access token for using google resources)

  • Authorization with jwt token for web api backend.

So, you need Identity Server3/4, OpenIddict or writing own implementation for creating jwt token. There is similar question with good answers(especially @Tseng’s answer).

For managing jwt token in client side(angular2), see below links:

https://auth0.com/blog/2015/11/10/introducing-angular2-jwt-a-library-for-angular2-authentication/

https://damienbod.com/2016/03/02/angular2-openid-connect-implicit-flow-with-identityserver4/

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thanks Adem, just to clarify, why do I need OpenIddict or IdentityServer3/4 for creating JWT's? There seems to be a few examples out there to create tokens in plain C# using the Microsoft JSON Web Token Handler?
Of course, you can use own implementation. If you choose this, take a look at stackoverflow.com/questions/30546542/…
@Seb for more details about why creating your own authorization server instead of directly accepting third-party access tokens (e.g Facebook tokens) is usually recommended, you can read this other SO thread: stackoverflow.com/a/33148160/542757.
@Pinpoint thanks, I understand simply accepting a third party token is wrong, but is adding an extra authorization server really necessary? What if my WebApi backend receives the third party token, validates it against the right authority to make sure it's still valid, and then generate its own token (JWT) that it sends to the SPA which will in turn send it back with every request? Is that wrong?
@Seb well no, it's not wrong since it's basically what a custom authorization server would do (except the flow you're describing is not a standard OAuth2/OpenID Connect flow).
|
0

There is an easy answer here. Use https://auth0.com/ It's free on a small scale and all the details are handled for you. Good samples and good open source participant. No affiliation, just a fan.

Improve this answer

1 Comment

Thanks, I've played with Auth0 too and managed to add authentication to an Angular2 app, but I'm really trying to limit dependencies to external services as a learning exercise :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.