13 Securing APIs and single page applications

 

This chapter covers

  • Securing an API with a token
  • Exploring how OAuth 2.0 and OpenID Connect are related
  • Explaining which OAuth flow is applicable for which scenario
  • Using IdentityServer to protect APIs
  • Using the BFF pattern to protect single-page applications

Chapter 12 explained ASP.NET Core Identity, which includes full user and sign-in management. This works really well for traditional, page-based web applications. The server issues an authentication cookie, which is automatically returned to the server with each subsequent HTTP request—that’s just how cookies work. For APIs or single-page applications (SPAs), this approach is still viable, but rather uncommon. Let’s take an API, for instance. It may have clients that are not web browsers (e.g., console applications, desktop applications, or other servers) and as such might not even support cookies. Things get even more complicated if the server doing the authentication (e.g., validating credentials) is different from the one doing the authorization. One server cannot reliably issue cookies for another server, and SameSite cookie settings make things even harder.

13.1 Securing APIs with tokens

 

13.2 OAuth and OpenID Connect

 
 
 
 

13.2.1 OAuth vs. OpenID Connect

 

13.2.2 OAuth flows

 

13.3 Securing applications

 
 
 

13.3.1 Third-party tools

 
 
 

13.3.2 Client credentials

 
 
 

13.3.3 Authorization code + PKCE

 

13.3.4 SPAs and BFF

 
 
 
 

Summary

 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest