Open einari opened 6 years ago
jakhog
commented
6 years ago As far as I remember, we store the user token (or what you call them) in localstorage on the browser side now. So there is really no way to do this right now, as I can see?
Or are you thinking to do the authentication on the server-side?
(I admit I haven't read the link carefully yet)
einari
commented
6 years ago The id_token sits on the client - but I want to force the initiation of the authentication process. When we get to the backend and actually want auth tokens / refresh tokens, we should go through the back channel to the authority and do this. This is the Hybrid flow as I understand it from OpenID.
jakhog
commented
6 years ago Hmm, I still don't understand fully... Maybe I'm confused by the "frontend Nginx" in the title.
Are we talking about authentication for 1) serving the frontend-apps (html+js+...), or 2) serving calls to the different backends?
If 1: How will nginx know if the user is already authenticated or not, if we don't send the id_token?
If 2: Then I'm fine, then the id_token can be appended to backend calls.
einari
commented
6 years ago Since we have the frontend served by a dedicated Nginx instance and the backend running on its own through kestrel, I've been thinking that we should have an auto redirect for authentication purposes for everything. And the earlier we do it the better. But very open for input here if this does not make sense.
Our exposed endpoints will require authorized users - and eventually require roles / claims.
Look at something similar to this for automatically redirect to desired login page to force users to log in.
https://github.com/tarachandverma/nginx-openidc