Include ASP.NET identity example with SPA Template

[AleksandrAlbert]

I am building a React + Redux app, and like most websites authentication is a necessary. Unfortunately none of the SPA templates include user accounts by default. This has led to some degree of uncertainty with how best to implement security. In searching for 'How to secure a dotnet core SPA app', I see almost every result come up talking about the use of JWT's through a provider such as Identity Server, though I am not a security expert and would prefer to have at least one security option recommended by Microsoft. I've not been able to find an example of securing a React app using asp.net Identity alone, is this possible? It would be extremely helpful if a template could be added which includes authorization.

[brockallen]

This has led to some degree of uncertainty with how best to implement security

It's important to keep in mind that templates from Visual Studio are not necessarily a panacea of guidance on everything when it comes to building apps.

Here is perfectly good guidance on security for JS-based apps and API:

http://docs.identityserver.io/en/release/quickstarts/7_javascript_client.html

And it's even referenced by the Microsoft docs:

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/community

[AleksandrAlbert]

Yeah I understand that its not meant to be cure-all solution, but having at least a basic working system gives us a starting point we can then build on. This is a pretty huge feature when speed is of the essence (at a hackathon, for example). I think it would draw more traditional aspnet developers to the templates.

[brockallen]

Possibly. But at the same time, an identity design is a whole project in and of itself. IOW, you'd not expect VS to have a CQRS template, would you?

[AleksandrAlbert]

Well I suspect the amount of users looking for a CQRS template is much smaller than those just looking to add a login page to their demo app. I would be happy as well just for a blog post on how I can use just aspnet identity with the react template, as I haven't been able to find one.

[brockallen]

@maxmantz might have one?

[maxmantz]

The sample I have is a general example on how to implement OIDC with an React/Redux based SPA. It doesn't concern itself with identity too much other than reading out the user data from the JWT. Feel free to check it out and see if it helps you.

[brockallen]

And to add to @maxmantz's sample, you'd simply use ASP.NET Identity in your token server.

[AleksandrAlbert]

Thanks guys I will take a look

[SteveSandersonMS]

Thanks for the suggestion @AleksandrAlbert and for the comments @brockallen! I agree it would be nice to have the equivalent identity options that the other ASP.NET templates have and it's something we have spoken about on the team. As it happens there's already a bug tracking this request (#548) so I'll close this one as a duplicate.