-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help wanted for SPA + Code Flow #160
Comments
Hey @fl0wx I'm unsure if I understand the question correctly. Do you want to create a REST API in Go and us it with a SPA? |
yes, but authorization will be done separate (ldap groups).
i read many times that this approach is not recommended because of security concerns. In that case i need to store the access token in the browser, right? and even if i fetch the access token directly in my spa, i have the issue where to save / transmit the secret key? |
@fl0wx :
If you use PKCE (Proof Key for Code Exchange: RFC 7636) correctly then there's not much of a concern. You will have a randomly generated validation token instead of client_secret and store the access_token in the session storage of the browser. For more info, please checkout the docs of our IAM as well on how to login a user into a (SPA) app: And we also have some quickstarts for some SPA frameworks (incl. Angular and React): https://docs.zitadel.ch/docs/quickstarts/introduction On the API side, you can then use the introspection endpoint to validate if the token is (still) valid. A boolean |
ok thanks, i´ll try that. Any recommendations regarding my authorization requirements? I cannot do authorization with oidc currently and have to query a separate backend (ldap). Whats the best way to pair that with oidc? check roles on every request (+cache)? Using a session ? or any other idea? |
Your IdP could query the LDAP and append the groups as claim to the userinfo/introspect endpoint or the tokens. The decision to cache or refresh depends on how much risk your service can take. Or in other words, if you need a high level of guarantees don't cache. |
Thanks i consider that. Everything is clear now, so ill close. |
How do i implement the REST Server Part of the Code Flow Authentication in combination with a SPA ?
Like statet here: https://security.stackexchange.com/questions/129928/oidc-flow-for-spa-and-restful-api
Any help with that? Or hints what to do?
Thansk and regards, fl0w
The text was updated successfully, but these errors were encountered: