What's the best practice for SPA-PWA authentication? - authentication

I'm trying to develop a single page application using web APIs in ASP.NET Core as backend, and React as Frontend.
I was wondering what's the best practice to handle authentication using SPA-PWA technologies, i'd like to use 3rd party authentication so the user won't need to create another account.

Related

Authentication and Subscription in Web Application Best Practice

I have an application with Angular in frontend and NodeJs as a Backend.
I want to add a Login/Authentication and Subribtions/Payments to the app and wondering what is the best and easiest solution today. I read about services like Memberstack!?
I also worked with OpenId before and know that some cloud provider got their own solutions.

Preventing group of users from accessing rest of clients in IdentityServer

I am developing ASP.Net Core App with Backend For Frontend pattern using Ocelot. For now there will be a single API service but in the future I might migrate to microservices. Let's say it will be an e-commerce system where I will create different web apps for customers and for employees. I may also have Mobile app for customers.
From my research I know that should have my main API, then two API Gateways and two client (angular) apps. There also needs to be separate IdentityServer app.
So my question is - is there a way to configure the IdentityServer and gateways in such a way, that when I log in app for employees I won't be authenticated in customer app? I cannot understand if it should be possible with right configuration of scopes, claims or audiences. I saw many examples where that properties were set completely differently. I can prevent user from accesing some endpoints with the use of Roles but I think that it's not the right way to do this.
Or maybe since IdentityServer has built in SSO I should not use it and move to different authentication provider?
You should let the authorization sub-system in ASP.NET Core decide if the user is allowed or not, typically based on the claims in the access token.
You need to understand that you handle authentication and authorization separately in ASP.NET Core as the picture from one of my training classes show:
For more details:
Introduction to authorization in ASP.NET Core
Policy-based authorization in ASP.NET Core
Claims-based authorization in ASP.NET Core

How can I setup sign in as Google account on a react native + asp core web api and Identity server as middleware

How can I configure my mobile app project to sign in using external providers (Google). I am using react native + web api core. Most examples using google sign in is using ASP.Net Web application not web Api. I am using also Identity server as middleware
IDS4 still requires a serverside UI (although you could in theory use whatever client side framework you wish) so to keep things simple I'd wire the Google sign into your existing sign in UI flow.
For a native app it's strongly recommended that you use the authorization code flow with PKCE and use ASWebAuthenticationSession or custom tabs for iOS and Android respectively.

ASP.NET Web API Authentication (Web + Mobile)

I'm designing a solution that involves ASP.NET Web API as the service layer plus clients for web, iOS and Android.
Web users should be able to log into the web site and do their stuff. I'm using Forms Authentication for this scenario.
Mobile users should use the REST API and I believe we need a different authentication mechanism here.
Assuming that a given ASP.NET MVC application can support only 1 authentication mode, do I need to create 2 separate applications, one as the web client with Forms Authentication, and one as the API, and host them separately?
Any advice would be appreciated.
You could do basic authentication for the service clients and combine that with your existing forms auth
http://leastprivilege.com/2012/10/23/mixing-mvc-forms-authentication-and-web-api-basic-authentication/

How to secure RESTful API

Guys,
I am opening up a bunch of RESTful API, mostly GET at the moment, not modifying anything in the database.
I am planning to use this in our own mobile app, also to one of two trusted developers in the android applications they make.
I would like to know what's the possible & easiest way to secure the API to only the applications I authorize.
What's the best way to do that? I am using Rails 3.2