search

openiddict / openiddict-core

Flexible and versatile OAuth 2.0/OpenID Connect stack for .NET
https://openiddict.com/
Apache License 2.0
4.47k stars 528 forks source link

Question: Recent Implicit Flow/Hybrid Angular example without using MVC? #735

Closed AlphaCreativeDev closed 5 years ago

AlphaCreativeDev commented 5 years ago

I've been pouring through the documentation and examples for a couple of weeks now and I'm having a hard time understanding how to implement what I want. Every 'spa' or 'angular' example I have seen doesn't use Angular for most of the interactions with OpenIdDict/IdentityServer. The examples use a MVC client instead but have an Angular app that loads after their account is setup. I want the whole thing in Angular if possible.

I've gotten the OpenIdDict Implicit Flow sample project working with my Google keys and I believe I understand what is happening in that sample. I want to do something similar but with no MVC client.

Am I wrong in my thinking that I can implement the flow listed below with a purely angular client? If so, what would you recommend for my desired flow? Is it just not worth the effort and I need to stick with an MVC Client?

Flows/Questions:

  1. User fills out a Angular form to register an account with us. The user chooses whether they want to use a local username/password or authenticate using Google or Facebook. After they choose, it automatically creates their user and ties them to their new account with us. It also logs them into their new account. All of this would be Angular if possible with as few redirects/user interaction as possible.
  2. After the user logs in via signup or our login page (also in Angular) it would use tokens/refresh tokens to call our api. My understanding for this is to use the access token created with their initial login and request a new token and refresh token.
  3. How can I pass data back and forth during the external login process? For example, in step 1 I want to create their account and give them an internal account Id. When they come back on the External Login Callback, how can I bring that data along with them?

One other current constraint I have which can change is that the Angular App, Web API, and Identity Endpoints are all hosted within the same site. Just thought I'd throw that out there so we don't have to worry about CORS at the moment.

kevinchalet commented 5 years ago

Every 'spa' or 'angular' example I have seen doesn't use Angular for most of the interactions with OpenIdDict/IdentityServer. The examples use a MVC client instead but have an Angular app that loads after their account is setup. I want the whole thing in Angular if possible.

While it doesn't use a SPA for the server-side-managed login part, there's an Aurelia sample using the implicit flow in the samples repository: https://github.com/openiddict/openiddict-samples/tree/dev/samples/ImplicitFlow

That said, it's definitely not the first time I hear the scenario you described.

The complicated thing about it is that it completely blurs the line between the authorization server and the client, as the client is also the UI for the authorization server (the separation is not as clear as initially envisioned by the OAuth2/OpenID Connect protocols).

In the apps I recently worked on, I opted for a radical - and simple - strategy for this kind of scenario:

AlphaCreativeDev commented 5 years ago

Thank you for your response. We will be looking into your reply more and will respond here with further questions.

kmiskiewicz commented 5 years ago

You can also check the project from Asad Sahi, before he switched to Identity Server he was using OpenIdDict, you can check on my fork of his project https://github.com/kmiskiewicz/AspNetCoreSpa There is also FB flow included