Implicit or Authorization Flow - SPA app front end, C# Web API back end


I have an existing app. It is a React front end. The back end is C#. The initial request to the back end is to a single MVC controller which returns back a razor view with all of the client side assets (JS (React), CSS, etc…).

Once the app is loaded into the browser, it’s a SPA app. It makes AJAX calls to various backend endpoints that are written in C# (Web API). It is these API calls which we will enforce auth (we do this today with a self hosted/implemented auth process). We are moving to Okta.

I’m looking for some guidance as to which flow to implement. I originally started down the authorization flow path, mainly because I had read that if you can securely store a ‘Client Secret’ you should use Authorization flow. In theory I can because I own the backend WebApi calls.

I found just about every one of the examples for C#/.Net that implement Authorization, do so with MVC controllers. Example projects that use WebApi are Implicit flow examples. Again, my project uses WebAPI.

I used the flow here

After unsuccessfully trying to make my WebAPI controllers implement Authorization flow, I found the Implicit tutorials much easier to get going and working in my situation. Looking for confirmation is all.


The main difference with implicit is that you do not get a refresh token. If your app isn’t going to be taking actions on behalf of the user when they aren’t logged in (interactive) then this shouldn’t be a problem.

The main problem a lot of people have with implicit is that the access token will show up in the query string. Ideally this should be used with a hash url, if its not then it will show up in logs.

Thanks @sbennett. One other question, is it possible for Implicit flow to use the Okta hosted login page rather than login widget (that I grabbed from Okta)? Not huge but we may have a centralized Okta login page that is styled correctly and I would rather not try and keep them in sync (my app vs. general company login page).

So what I’m hearing it that implicit would be the correct approach based on my SPA app hitting a C# WebApi via Ajax calls.