0

I'm working on projects that use both .NET Framework and .NET Core using ID Server 3/4 respectfully (and of course separately) and I have become aware of the Implicit flow and how it works for Javascript clients. I do notice that it uses cookies and I think that is why a lot of redirects are happening, etc.

But in hindsight, it made me wonder if that would have a previous project better if we had known about Implicit flow then but without the use of cookies and just relying on session storage. Would that have been possible?

Dandré
  • 2,053
  • 3
  • 18
  • 38

1 Answers1

1

Using the implicit flow doesn't mean you are forced to use cookies to store user data/tokens.

Yes, for an implicit client you could store the tokens in session storage. This is the default for popular client libraries such as oidc-client.

Just be aware that with this approach user data and tokens are visible to the browser, the user, and any other JS running in your site.

Scott Brady
  • 5,498
  • 24
  • 38
  • Would you have a link that would explain how to configure both? (thanks, for the reply, BTW) – Dandré Oct 29 '18 at 08:07
  • I have an article on using oidc-client with Angular: https://www.scottbrady91.com/Angular/SPA-Authentiction-using-OpenID-Connect-Angular-CLI-and-oidc-client or a user group talk on the same subject, with more detail on the implicit flow: https://www.scottbrady91.com/Angular/SPA-Identity-and-Access-Control-with-OpenID-Connect-and-IdentityServer4 – Scott Brady Oct 29 '18 at 08:55