21

I am building a SPA using React and Redux on top of dotnet core 2.0. Unfortunately, the vs2017 template for this does not include Authentication/Authorization.

In looking around, I saw many people talking about the use of JWT's and suggesting things like Identity Server or OpenIddict to handle this, but I have only ever used ASP.NET identity to handle security before.

My question is, is it possible to secure a react app by using ASP.NET identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?

Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?

Aleksandr Albert
  • 1,777
  • 1
  • 19
  • 26
  • You sure can, see this https://forums.asp.net/t/2113140.aspx?Identity+Login+using+Ajax+MVC. Using JWT or OAuth2 or cookies, it all depends on the use case you are trying to cater to. So it is not necessary to use JWT but you would decide what to use based on what you are trying to do. If you have just a SPA then cookies or JWT anything would work – Tarun Lalwani May 20 '18 at 13:01
  • I think this gives a full solution to what you are looking for https://www.pointblankdevelopment.com.au/blog/135/react-redux-with-aspnet-core-20-login-registration-tutorial-example and this is one as well https://auth0.com/blog/developing-web-apps-with-asp-dot-net-core-2-dot-0-and-react-part-1/ let me know if that helped. – Maytham Fahmi May 26 '18 at 14:02

2 Answers2

5

I will try to answer by your questions.

Q.1. Is it possible to secure a react app by using aspnet identity alone, and if so, why do so many people jump straight to JWT's as the solution for securing SPA apps?

Q.2. Is token based authentication the only method that works with a SPA app, or can I use Cookie based authentication?

Answer To First Question(this question technically related to difference between cookie based and token based authentication approach.)

Cookie based authentication system

  • cookie based session is StateFull. as here server needs track of active session,while on front end/client end a cookie is created that holds a session identifier.
  • you can secure your web api using cookie based authentication system. but in a very limited scope, because ,cookie based system doesn't work well, on native clients or suppose if your web api is going to be consumed by some other web api,

Token based authentication system

  • it is StateLess as server doesn't keep here the track of which token are issued or which users are log in.

  • Here server needs to verify only the validity of the token. so token based approach is more decupled than cokie based.

Sources

Answer To Second Question

Yes you can implement cookie based authentication in spa by using OWIN Cookie Authentication middileware .

you can find more information regarding it on following link.

https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

Hope above will help.

Trilok Kumar
  • 571
  • 6
  • 12
0

If you are going to have React and API in one domain, and the SPA would be the only client of API it may be recommended to use cookie based authentication with SameSite Cookies.

axelio
  • 159
  • 4