Container issue: Authentication and authorization for SPAs

[Rick-Anderson]

23K PV

This is the Container issue for this doc. Reopen each issue you are working on so the owner is notified.

PU issue

• [ ] Token expiration #12727
• [ ] How to extend the user registration UI? #12552
• [ ] Alternatives for non-SPA login/signup pages #16493
• [ ] Improve Docs about identity server #17798
• [ ] More detail to "ApplicationDbContext" #18077
• [ ] I don't understand the value proposition of IdentityServer in an SPA scenario #18524
• [ ] Details about reconfiguring existing API resources and clients #18465
• [ ] Page is not current with latest changes #18478
• [ ] Example configuration for File type token signing cert. #22506
• [ ] Include Aspnet User Claims in Jwt token #22904

Not PU:

• [ ] Example: Deploy to Azure Websites Linux Support? #16392
• [ ] The description of the IdentityServer json is in reversed order #16768
• [ ] Documentation not up to date for .Net Core 3.1 Identity #18766

• [ ]

  Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 21cb7455-3305-9316-5440-bdc22947a82d
• Version Independent ID: 137d4b94-7b26-3911-b22d-42c754a95fc1
• Content: Introduction to authentication for Single Page Apps on ASP.NET Core
• Content Source: aspnetcore/security/authentication/identity-api-authorization.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @javiercn
• Microsoft Alias: scaddie

[Pyrobolser]

About the deployment to Linux App Services. Right now the following workaround seems to be working for me:

• Add your .pfx in your Web project on Visual Studio.
• Change the configuration in your appsettings.json:

  "IdentityServer": {
  "Key": {
    "Type": "File",
    "FilePath": "example_certificate.pfx",
    "Password": "examplepassword"
  },
  }

Please note that this is just a workaround but it is not a recommended solution. Your certificate shouldn't be hanging out with your files like this for security reasons, don't forget to exclude your certificate from source control.

[baselbj]

For the point " Alternatives for non-SPA login/signup pages"

In identity server documentation talking about those template,and I quote: "You are expected to know how ASP.NET Identity works sufficiently well to add those features to your project"

So,

"you can create a new project based on the Visual Studio ASP.NET Identity template and add the IdentityServer features you have learned about in these quickstarts to that project"

http://docs.identityserver.io/en/latest/quickstarts/6_aspnet_identity.html#what-s-missing

I think this documentation should show the 2 ways, SPA with ASP.NET Identity and SPA security without ASP.NET Identity.

[inlokesh]

@Rick-Anderson how can I use the code generated here in the react-redux project template

[vietman00]

I started with the Asp.net Core 3.1 with Angular and Individual User Accounts Template in VS 2019.. [Authorize] currently works but not [Authorize(Roles="Admin")] even though I gave my user that role.. When I inspect the User.Identity on a webapi controller method with just [Authorize] I do not see the email address, username or any roles.. I can only see that they are authenticated.. Please help! I just want to be able to specify Roles and have them respected in the Authorize attribute of controllers and their methods..

[gilmishal]

I have created an app with IdentityServer4 before, and although it is a bit more burdensome than AddApiAuthorization it is much better documented and I feel that it creates an abstraction that is very hard to figure out.

Configuring clients with appsettings.json uses a totally different syntax than the official IdentityServer docs - and the existing syntax isn't well documented. I understand that there are different profiles (why?), but I have no idea what client secret to use, I am not sure how to configure one and I have to dig deep into the code to figure it out. I might as well just give up and configure IdentityServer the regular way - which isn't necessarily better or easier, just a lot more predictable since it is better documented.

I would suggest either documenting this entire library (Microsoft.AspNetCore.ApiAuthorization.IdentityServer) better or making it's configuration more similar to the IdentityServer4 official configuration.

[dathoang]

Need more specific documents about Identity Server config:

• Refresh token (set AllowOfflineAccess property on Client)
• Change authentication flow. The current flow is implicit but authorization code is recommended for SPA now