AWS Cognito and Web Applications – Protecting and Accessing APIs (JavaScript and .NET Core)

Introduction A typical web application consists of a frontend (HTML, JavaScript, CSS), a backend (e.g. REST API) and database for persistence. Frontend typically communicate over REST calls to the backend for services. Token based authentication is a very common way to manage authentication and authorization information back and forth in the web applications. Applications need … Read more

Token Based Security: Angular Applications – Part 3

Introduction In previous post of this series, we configured our Angular application as a client of IdnentityServer and completed the login/logout process. However even though user was logged-in, the REST API calls were still not authorized: In this post, we will authorize HTTP calls by passing bearer token as an Authorization Header. Now, if you … Read more

Token Based Security: Angular Applications – Part 2

Introduction In previous post, on the topic of Token Based Security, we created an API endpoint and protect it (using Authorize attribute) with IdentityServer. Then we setup a simple Angular application with an AuthService to use oidc-client library. We also created few angular components and at the end of previous post, we created two buttons … Read more

Token Based Security: Angular Applications

Introduction I have written few posts on token based security, its importance, OAUTH, OIDC and IdentityServer. You can check previous post if you are new to these topics. Today, I will write about how to secure angular application with these technologies. We will see how to wire Angular application with IdentityServer. Angular application is a … Read more

Token Based Security: Setting Up IdentityServer UI- Part 6

Introduction We have been discussing different parts of various Authentication/Authorization requirement scenarios. We also covered some theory and saw some demo code regarding OAUTH, OIDC, Identity Server etc. In previous post, we learned how to configure IdentityServer, AllowedScope of a client application and how to make a PasswordTokenRequest for the scopes to UserInfo Endpoint. Currently … Read more

TokenBased Security, OAUTH, OIDC, IdentityServer – Part 5

Introduction In previous post of this series, we saw different flows to get the token from IdentityServer and then pass those token as Authorization Headers in our HTTP Calls and client application was able to get the data as expected. Today, we will continue our journey and learn more about users and claims. So, if you are new … Read more

TokenBased Security, OAUTH, OIDC, IdentityServer – Part 4

Introduction In previous post of this series, we setup IdentityServer with some test users and clients configurations. We then used postman tool to get the access token with couple of different flows. In this post, we will move forward and add a resource API to our solution. This will be simple .NET Core WebAPI application. … Read more

Token Based Security, OAuth , OIDC and IdentityServer4 – Part 3

Client Credentials and Resource Owner Password Flow Introduction In the previous post in this series, we discussed token based security, OAuth and OIDC. We also configured IdentityServer4 with some configurations. In this post, we will continue configuring IdentityServer4 and will also learn some of the client/server communication following OIDC flows. If you are new to … Read more

Token Based Security, OAuth 2.0, OIDC and IdentityServer4 – Part 2

Introduction In previous post, we learned that OAuth is an authorization framework specially built for HTTP APIs. It allows a user to securely delegate scoped API Access to an application. By scoped access means, that user define exactly what parts of an API, they want application to be allowed to use. This application can then … Read more

Token Based Security, OAuth 2.0, OIDC and IdentityServer4

Introduction We all know the username/password mechanism of login to a web application. We also might have heard, used or implemented authentication/authorization systems, with or without frameworks. Token-based security is one of common mechanism to secure backend APIs. A common architecture for web applications typically consist of a web client app (e.g. an Angular or … Read more