2

Looking at the implicit flow to login with https://github.com/IdentityModel/oidc-client-js and https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/7_JavaScriptClient . The process begins with forwarding to a server side login page.

I'm aware that there are advantages of not having to make changes to the SPA if additional providers are used, but are there any more reasons why you're encouraged to use a server side login page? It seems as though the implication is that it's more secure, but I don't understand why.

ChrisFletcher
  • 123
  • 5

1 Answers1

2

I presume you're referring to an OAuth 2.0 Implicit Flow.

I think you're wondering why you need to direct away from your SPA for the user to authorize your app (by logging in, and usually selecting permissions to grant your application).

OAuth, as a protocol, is designed to allow a third-party to authenticate a user's identity. To use Google OAuth as an example, the user leaves your site and goes to Google, so that you can't steal their password or perform other actions on the user's behalf. They've left your site and entered the site of their trusted identity provider, who you are also implicitly trusting by allowing them to authenticate your user's identity.

If you are authenticating with your own server, there may be no need to use the OAuth protocol. Just allow them to submit their username and password directly. They're already trusting you to handle their username and password by signing up for your service.

The only good reasons I'm aware of to use your own OAuth provider on your site are:

  • Centralizing identity in a micro-services architecture
  • Exposing an identity provider for third-parties to use
  • Using a pre-packaged software solution as an identity provider, so you don't have to roll your own identity and authentication solution

Edit: Here's a a better resource on implicit flow. RFC 6749 Section 4.2

And here's an ascii-art diagram of how the implicit flow works. Note that the authorization server is distinctly a separate entity in this diagram, and that the authentication step is directed toward this server.

 +----------+
 | Resource |
 |  Owner   |
 |          |
 +----------+
      ^
      |
     (B)
 +----|-----+          Client Identifier     +---------------+
 |         -+----(A)-- & Redirection URI --->|               |
 |  User-   |                                | Authorization |
 |  Agent  -|----(B)-- User authenticates -->|     Server    |
 |          |                                |               |
 |          |<---(C)--- Redirection URI ----<|               |
 |          |          with Access Token     +---------------+
 |          |            in Fragment
 |          |                                +---------------+
 |          |----(D)--- Redirection URI ---->|   Web-Hosted  |
 |          |          without Fragment      |     Client    |
 |          |                                |    Resource   |
 |     (F)  |<---(E)------- Script ---------<|               |
 |          |                                +---------------+
 +-|--------+
   |    |
  (A)  (G) Access Token
   |    |
   ^    v
 +---------+
 |         |
 |  Client |
 |         |
 +---------+
Community
  • 1
nbering
  • 3,988
  • 1
  • 21
  • 22