1

I'm developing a Blazor WASM hosted application and have some questions on how to properly secure it.

The idea is that users will authenticate using an external identity provider (OpenIDConnect/PKCE), however I do not have access to the identity provider to change it's configuration. The app is able to authenticate users with the Microsoft.AspNetCore.Components.WebAssembly.Authentication library, but I'm unable to secure my API.

Since I cannot change the IP's configuration to include access to my API in the access token, what options do I have? Do i have to use IdentityServer? Can I use this (https://identityserver4.readthedocs.io/en/latest/topics/signin_external_providers.html) even though the external IP the app is using is not listed among the external providers (Google etc.) How can I secure my API?

Thanks in advance!

robaru_
  • 21
  • 2
  • 1
    I think you have to _split_ this question. What you're looking for is a "course" not an answer. Will be more simple and more useful to anyone to create specific question. – Nicola Biada Aug 26 '21 at 07:30
  • 1
    Yes, i understand what you mean. I just left the crucial parts in, and I'm not looking for a specific answer, just a push into the right direction will suffice :) I just don't want to start implementing the IdentityServer not knowing if it's possible with or not. – robaru_ Aug 26 '21 at 08:50

1 Answers1

1

I think you cannot achieve your request without an access to the external provider.
This is due to the fact you need a ClientId and a ClientSecret from your external provider inside the configuration of your Server app (where reside your web APIs).
And your external identity provider has to be configured to a redirect authorized URI to your page, something like https://localhost:5001/signin-openid (probably this works at the moment).

All these configurations have to be done inside you external OpenID provider.
You don't need ID4 for this kind of configuration, ASP.NET Identity is enough for it.

Nicola Biada
  • 2,325
  • 1
  • 8
  • 22
  • 1
    Thank you for your answer. What I meant by not having access to the IP was that I can't configure it myself, though I can contact them by email. I've already received a clientID and clientSecret from them (though clientSecret isn't used because I'm using PKCE) and the redirectURL is configured there as well. Authentication works otherwise, I'm just not able to secure the API. I'm getting an unauthorized exception now (invalid access token), I also can't decode the access token in jwt.io. Am I missing something? – robaru_ Aug 26 '21 at 09:54