Comments on: Creating an OpenID connect system with Angular 8 and IdentityServer4 (OIDC part 1)

By: OAuth是保障Angular应用的API安全的好方法吗？ – 实战宝典

OAuth是保障Angular应用的API安全的好方法吗？ – 实战宝典 — Tue, 25 Oct 2022 22:15:55 +0000

[…] OIDC中的代码流程概述 […]

By: The Complete Guide to Angular Security – Christian Lüdemann

The Complete Guide to Angular Security – Christian Lüdemann — Thu, 04 Mar 2021 12:00:56 +0000

[…] token by the developer such as via an HTTP header. The most common way to do this is using OAuth bearer tokens in the […]

By: abrasat

abrasat — Tue, 08 Sep 2020 13:39:00 +0000

Very useful article, thanks!
Could you please explain also the workflow about how should the Angular app get the information about the user role / permissions? Can the user role/permission be extracted from the tokens returned from the STS Authorization Server ? Or must this information be fetched by the Angular SPA by calling a WebApi on the backend? For example if the angular application needs to hide or show some elements on the page, depending on the role of the actual user?

By: Shawn Zhang

Shawn Zhang — Wed, 02 Oct 2019 14:46:00 +0000

In reply to Christian Lydemann.

From your diagram.
One thing I am confused for the regular code flow.
Why client backend receive the auth code, and all subsequent api call (exchange token, request API data)
all sent out from client backend instead of client frontend?
If request API start from client backend, how do I pass the response to the front end page?

By: Implicit Flow vs. Code Flow with PKCE – Christian Lüdemann

Implicit Flow vs. Code Flow with PKCE – Christian Lüdemann — Tue, 30 Jul 2019 15:22:16 +0000

[…] you have read my Angular and OpenID Connect blog post series, you might have seen that I in the last part, when setting up Angular app to use OpenID Connect, […]

By: Creating an OpenID connect system with Angular 8 and IdentityServer4 (OIDC part 1) – Angular Questions

Tue, 30 Jul 2019 05:25:42 +0000

[…] submitted by /u/chrislyzz [link] […]

By: Christian Lydemann

Christian Lydemann — Mon, 29 Jul 2019 05:51:00 +0000

In reply to Martin Hammer. The client backend is the server hosting the client. If you use regular code flow you need a server to store the client secret. For public client, that can't store secrets, you use PKCE instead as described in this post.

By: OpenID Connect with Angular 8 (OIDC Part 7) – Christian Lüdemann

OpenID Connect with Angular 8 (OIDC Part 7) – Christian Lüdemann — Sun, 28 Jul 2019 12:59:29 +0000

[…] Part 1: Creating an OpenID connect system with Angular 8 and IdentityServer4 […]

By: Christian

Christian — Sun, 28 Jul 2019 10:20:20 +0000

In reply to Laredo Tirnanic. Hi, sure you can. The Angular apps have the access token which is an encoded JWT. It could just decode the access token and get the claims and hence do the checks. But, normally having an API returning either a flag for whether some data was available or not. If you let the API return all the navigation links, I think you are mixing BE/FE concerns here, that will make development harder as you need to do changes on both the BE and FE to change the navigation bar.

By: Christian

Christian — Sun, 28 Jul 2019 10:15:38 +0000

In reply to Martin Hammer. A client BE is the BE server, that hosts the Angular app. You only need the client BE in the authorization if you use code flow without PKCE.