We are going to create and ASP.NET Core Web Application using the API template from Visual Studio 2019: At the end of the post you’ll have a link to my Github repository with a fully functional example using the identityserver demo.
STUTTER EDIT AUTHORIZATION CODE HOW TO
and also I’m going to omit some code for brevety and I’m going to put focus only in how to configure Swashbuckle to support Authorization code + PKCE. Geeting startedĭisclaimer: I’m not going to show how to configure things like JWT authentication, settings, etc.
Some time ago, I made a pull request to support Authorization code flow + PKCE in Swashbuckle Asp.Net Core, so in this post I would like to show you how to configure Swashbuckle in order to use this authorization flow. If someone ask you why it should avoid it, please refer to this link. As I told you before, you should avoid the use of Implicit flow in favor of Authorization code flow + PKCE. Once the user is logged in, each subsequetnt request will include a JWT, that allow our API to determine if the client can access to the resource that is permitted by this token.īefore Authorization code flow + PKCE, Implicit flow was the standard flow in order to obtain these JWT and provides access to the APIs in browser-based applications such us SPAs (Single Page Applications). It’s very common to use JSON Web Tokens as an authorization mechanism. Normally our APIs are using some authorization mechanism to protect the access to their information. In Asp.Net Core we have available a NuGet package called Swashbuckle.AspNetCore to provides an embedded version of the awesome Swagger-UI. Swagger UI is a collection of HTML, Javascript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API. If you are developing Web APIs, you should have heared about Swagger-UI If you are not familiar with OAuth2, I recommend you this Pluralsigt course by Scott Brady. With this approach you can remove the tokens from the URL for a much more secure flow.
STUTTER EDIT AUTHORIZATION CODE UPDATE
If you are using OAuth2, the recommendation for the OAuth working group is to update your web applications such us SPAs or JavaScript in order to use Authorization code flow + PKCE instead of implicit flow.
0 kommentar(er)
