0

With ASP.NET Core 5, Angular 10 and Identity Server 4 I created 4 applications:

  1. Auth using Identity Server 4;
  2. Asp.Net Core 5 API
  3. Asp.Net Core 5 MVC
  4. Angular 10 SPA

On the Angular application (4) I am using OIDC Client JS and Code Grant Type.

The Asp.Net Core 5 MVC application (3) also needs to access the API ...

I am using Identity Model but what Grant Type should I use in MVC application?

Code as in the Angular application (Is this possible?)? Client Credentials?

Miguel Moura
  • 36,732
  • 85
  • 259
  • 481
  • 1
    Do you want to call the API on behalf of the signed-in user? Authorization code is your best bet. Or do you want to do the call as the app itself (with no user info in token)? Client credentials. – juunas Nov 09 '20 at 12:22
  • In this case on behalf of the application itself. It is just an application to perform some automated tasks. In terms of security both grant type are equally secure? – Miguel Moura Nov 09 '20 at 12:52
  • 1
    No need of using any grant type in REST API till you do not want to impersonate the user. What API checks is valid token and authorization if enabled. – CoderSam Nov 09 '20 at 12:57

1 Answers1

2

  1. If you login the user on MVC application and you want to call the API on behalf of the user use the Code flow. In this case only difference between MVC and angular apps is that Asp.Net Core 5 MVC is a confidential client and you can use Code flow. But Angular 10 SPA client is a public client and you should you Code + PKCE. It is although recommended to use PKCE in both cases.

  2. If you just call an API through MVC and as the app itself and not behalf of the user, you can use Client Credentials flow. This flow is for server to server scenarios and it is secure. In this case you should do authorization for MVC app as well.

nahidf
  • 2,260
  • 1
  • 15
  • 22