# Security

### Why use tokens?
1. No CSRF protection required for server endpoints
    - What is CSRF?
        - Cross-Site Request Forgery:
            <blockquote>
            Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. (Conversely, cross-site scripting (XSS) attacks exploit the trust a user has in a particular Web application). A CSRF attack exploits a vulnerability in a Web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent.
            </blockquote>
            
2. Tokens have narrower permissions
3. Tokens have shorter lifespans and can potentially be revoked
4. The same authentication principles can be used for hosted and standalone applications

#### Hosted WASM Approach:
1. WASM hosted on a ASP.NET Core backend
2. Tightly coupled

#### Stand Alone Approach:
1. WASM hosted on a regulat HTML page
2. Backend API can be built in whichever technology you choose, and can be hosted anywhere
3. Loosely coupled

| Hosted 	| Stand alone 	|
|:---:	|:---:	|
| Could in theory be secure with same site cookies 	| Cannot be secure with same site cookies 	|
| Can be secured with token based security 	| Can be secured with token based security 	|
| Identity provider and ASP.NET Core Identity are integrated in the backend that hosts the WASM app 	| Identity provider is a separate component which optionally is integrated with ASP.NET Core Identity 	|
| Useful when you need a self-contained solution 	| Useful when you have multiple applications that deal with the same set of users 	|

#### WASM Hosting Modes:
1. Identity Provider
    - Generate Tokens
    - Implements OAuth2/OIDC protocols
2. User Management
    - Custom or based on ASP.NET Core Identity
      

### What is OAuth2?
 - OAuth2 is an open protocol to allow secure authorizationin a simple and standard method form, mobile, and desktop applications
 - OAuth2 defines how our Blazor applications can securely achieve authorization
 

### What is OpenID Connect?
    - OpenID Connect is a simple identity layer on top of the OAuth2 protocol
    - A client app can request an identity token (next to an access token)
    - That identity is used to extract user information from (client-side apps) or sign in to the client application (server-side apps)