0

I have a question regarding the best standard architecture of Authorization in web application that is written in Asp.Net Web Api on the backend and and has an angularjs client side.

According to what I had seen before, the "Resource Owner Credentials" flow is what would be used in such cases, where the webapp would send the user's credentials to the server and obtain access token (and refresh token) and then using an interceptor, every call to the backend apis would contain the access token in the header.

However, I have recently seen arguments about it being a bad idea, as it gives the user's credentials to the client app.

What is the best flow for a scenario when you have javascript client directly calling you WebApis? What is the best way to secure it using Identity Server?

Behrooz
  • 1,895
  • 4
  • 31
  • 47

1 Answers1

1

You could also consider implicit flow or hybrid flow, when the client app (angular) is redirecting the user to login on the openid identity provider (Identity Server) an upon a successful authentication, this returns an access/identity token which can be used in subsequent calls to the Apis.

In this case the client app is never touching client credentials, it always has to manage tokens.

see also https://www.scottbrady91.com/OpenID-Connect/OpenID-Connect-Flows

bandreas
  • 869
  • 1
  • 8
  • 25