Is this OAuth or something else?

[rwwilden]

I really like that IdentityServer is integrated but I do not understand what the flow is for getting an access token. This is directed at SPAs so is this the OAuth implicit flow? And if so, what are the thoughts about implicit flow no longer being advised by the OAuth working group (https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/, https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926).

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 21cb7455-3305-9316-5440-bdc22947a82d
• Version Independent ID: 137d4b94-7b26-3911-b22d-42c754a95fc1
• Content: Introduction to authentication for Single Page Applications on ASP.NET Core
• Content Source: aspnetcore/security/authentication/identity-api-authorization.md
• Product: aspnet-core
• GitHub Login: @javiercn

[Rick-Anderson]

Hello! Thanks for contacting us. This sounds like a general question about using ASP.NET Core. While we try to look at and respond to all issues, for questions like this we recommend posting to a community support group like Stack Overflow with the asp.net-core tag.

[damienbod]

@rwwilden @Rick-Anderson Looks like this example is using the OIDC implicit flow which is no longer recommended. The js lib used here also supports the 'code' flow. Maybe you could consider updating this.

[rwwilden]

@Rick-Anderson this was not a general question about ASP.NET Core but a specific question on the type of OAuth flow that is used to authorize users in the article. It seems that implicit flow is used.

The next question then is what @damienbod also says: the OIDC implicit flow is no longer recommended so maybe it's a good idea to use authorization code flow with PKCE.

[Rick-Anderson]

@Tratcher please review

[javiercn]

This is me, not @Tratcher

[Tratcher]

No actually. It's identity server.

[javiercn]

No, it’s me. It’s a question about our support.

[damienbod]

@javiercn yes the template is using 'token id_token'. If you switched to code with PKCE, this would not be much effort and a better solution. (silent renew as it is, not refresh tokens)

It should also be mentioned that cookies are a good solution when using same domain for API and UI.

Greetings Damien

[Tratcher]

Sorry @javiercn, I'd read that wrong on my phone. I thought you had assigned it to me.

[damienbod]

I made a blog about choosing the best flow for this type of app. Maybe you could update the docs with something like this

https://damienbod.com/2019/04/02/securing-browser-based-javascript-typescript-applications/

[BDTomasz]

Unable to run the command
dotnet new angular -o FooBarProj -au Individual

Invalid input switch:
-auth
Individual

[Rick-Anderson]

@BDTomasz
Open an issue at https://github.com/dotnet/cli
report your version

[SidShetye]

When will the documentation be updated for recommended approach to authentication for SPAs?

[brightertools]

@damienbod I have seen you comments, which reflect that implicit flow is not recommended, it would be great if you can create an example of this based on the example above, if it's not too much effort to extend it.. that would be a great help. Also if we can get an example of accessing the user claims etc on the server that would be a bonus...
This is a great example, but could be much better with these things included.

[javiercn]

We moved to code+pkce as of preview8

[brightertools]

@javiercn : ok great, I think I am looking at preview6 and now see a preview7, do I need to wait for preview8?

[javiercn]

Yes.

[SidShetye]

@javiercn - could you please link to the work-item issue for the code+pkce changes?

[javiercn]

7bf660947baf8966cd65ae6a3708cf283576dc25

[javiercn]

dotnet/aspnetcore@7bf6609