locked
Authenticating SPA+API with Authentication Server RRS feed

  • Question

  • User-1095454647 posted

    I have been reading about OAuth and JWT in general. One question that has been troubling me is around authentication of SPA that use APIs to provide data.

    As per my understanding -

    1. SPA shows user a login page. 
    2. User grants credentials and hits login button
    3. API takes the credentials verifies it against it's database.
    4. API generates a JWT token and adds a signature using a secret string value that only API knows.
    5. JWT is sent back to SPA and SPA stores it in cookies or just creates a global variable.
    6. SPA sends this JWT to API with each HTTP request. 
    7. API doesn't have to validate it against DB, it just has to verify if it is a valid JWT and is still active. It can do so because it has the secret key with which the Token was signed.

    Is my understanding correct? If so then what happens if there is a separate Authentication server?

    1. The SPA will redirect the user to Authentication Server's login page.
    2. User grants credentials and then Authentication server validates it and generates an Authentication Code and sends it back to SPA on the callback URL.
    3. This Authentication Code is sent to API and the API sends it to the Authentication server along with clientId and a clientSecret. 
    4. The Authentication server will generate an access token and send it to API and the API will sent it to SPA
    5. The SPA will carry this token in each request. 

    The API is able to verify that it is a valid token since it has the ClientId and Client Secret that was used to generate token by the authentication server?? 

    Is that how it works? Is my understanding correct?

    Saturday, June 6, 2020 6:36 PM

All replies

  • User711641945 posted

    Hi Arby360,

    The API is able to verify that it is a valid token since it has the ClientId and Client Secret that was used to generate token by the authentication server?? 

    The API will send a request to the Authentication Server to verify that the token is right or not , no need to use client id and client secret.

    A simple demo that make Identity Server 4 as the authentication server.There is a URL to configure ids and the name of this api registered in ids:

    public class Startup
    {
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc();
    
            services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    // base-address of your identityserver
                    options.Authority = "https://demo.identityserver.io";
    
                    // name of the API resource
                    options.Audience = "api1";
                });
        }
    
        public void Configure(IApplicationBuilder app, ILoggerFactory loggerFactory)
        {
            app.UseAuthentication();
            app.UseMvc();
        }
    }

    Best Regards,

    Rena

    Tuesday, June 9, 2020 7:23 AM