1

I have been reading the Quickstart from IdentityServer4 and still have some doubts on how to implement the Implicit flow for a SPA.

My setup is the following:

IdentityServer4 as the token server An API that needs protection (using WebAPICore) A SPA using Angular

My question is simple: Is the login screen where the user enters username and password the one provided by IdentityServer or is the Angular app providing this login window? If we are to use the login window provided by IdentityServer, is it best practice to just redirect to it, or should it be displayed inside an iframe in the Angular app?

General Grievance
  • 4,555
  • 31
  • 31
  • 45
user10892598
  • 11
  • 3
  • first of all don't use iframes in angular6. I assume your api routes are on your token server so you can have a login form on angular 6 and just use the HttpModule and HttpClient that comes with angular 6 to do your get or post requests and subscribe to the responses accordingly – Rogelio Mar 06 '19 at 04:10
  • The api routes (webapi core) and the token server are running on different servers. By design the token server was created as a completely separate application from the resources it is meant to protect. – user10892598 Mar 07 '19 at 18:40

1 Answers1

2

If using implicit (or any other browser based flow like hybrid or authorization code) then the login UI lives on the IDP and you'll be doing a full browser redirect to perform interactive authentication. Once an IDP session has been established the access token used to call your backend can be refreshed silently in the background.

It's also worth noting that implicit flow for JavaScript clients has been deprecated now and you should use hybrid with PKCE. The latest build of oidc-client-js supports hybrid out of the box and well as automatic silent token renewal and session monitoring.

mackie
  • 4,996
  • 1
  • 17
  • 17
  • Thank you for the clear explanation. I am looking a recent OAuth spec draft and clearly they are saying not to use Implicit, but they are recommending Authorization Code with PKCE, not hybrid. Is Hybrid better suited for an Angular SPA than Authorization Code? – user10892598 Mar 06 '19 at 19:32
  • Here is the link to the OAuth draft – user10892598 Mar 06 '19 at 19:33
  • https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-3.1 – user10892598 Mar 06 '19 at 19:33
  • 1
    You are correct, the recommendation is indeed to use auth code. Hybrid and authorization code are very similar - hybrid just includes an id_token and auth code does not but the process for obtaining the access token is the same. – mackie Mar 07 '19 at 10:11