I am using Identity Server 4 to implement authentication and authorization in order for users get access to my APIs. It uses OIDC with Implicit Flow to authenticate an angular2 client application:
ClientName = "angular2client",
ClientId = "angular2client",
AccessTokenType = AccessTokenType.Jwt,
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List<string>
{
"http://localhost:5000" //we have to provide https for all the urls
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:5000/Unauthorized"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:5000",
},
AllowedScopes = new List<string>
{
"openid",
"resourceAPIs"
}
I am planning to provide a reset password option for users by sending them links to their emails. In the traditional implementation, I would add an entry to my DB with custom hash, userId, and expiration period then send that link to the user. When he requests the reset password link, I validate it against my db and check if that entry is still valid.
Currently, my solution is composed of two servers: Identity Server, Resource Server (APIs) and angular 2 application. Users have to get token to access the application, then comes the authorization to access the APIs. If token was not valid they cannot call APIs. This is how resource server is validating the token:
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://localhost:44311",
ScopeName = "resourceAPIs",
RequireHttpsMetadata = false
});
If I want to do that using Identity Server 4, and send an email link with the token that allows him to access the change password API. What changes shall i made to the client?
Shall i add another client who have access to this single "Reset Password API" to prevent him using the same token to access the resource APIs. What is the best practices in such implementation?
