0👍
Well there are two standard models here and you need to choose one of them, depending on factors you care most about:
OPTION 1: SPA SCENARIO
- The SPA is the OAuth client and authenticates via Javascript tech
- The API is the OAuth resource server
It is not standard for a resource server to handle the authentication flow for a client – instead a client should authenticate, then call the resource server.
OPTION 2: WEB BACK END SCENARIO
People most commonly choose this option when they want to keep tokens out of the browser’s Javascript code:
- A Web Back End in C# is the OAuth client
- The Web Back End needs to securely communicate with the browser and has to use an auth cookie for this
- To call an API the browser needs to either send the cookie to the web back end to get a token, or double hop all API calls via the web back end
ABOUT OIDC CLIENT
Personally I prefer option 1, which I think is closer to overall SPA Goals, such as cross domain hosting and use of content delivery networks. OIDC Client can actually lead to a fairly simple SPA security implementation, as in this
Client Side Implementation of mine.
- [Vuejs]-Is there any way I can open a word document from my website on browser
- [Vuejs]-How do I get multiple actions and state with Vuex namespaced modules and the Vue Composition API?
Source:stackexchange.com