I have an existing app. It is a React front end. The back end is C#. The initial request to the back end is to a single MVC controller which returns back a razor view with all of the client side assets (JS (React), CSS, etc…).
Once the app is loaded into the browser, it’s a SPA app. It makes AJAX calls to various backend endpoints that are written in C# (Web API). It is these API calls which we will enforce auth (we do this today with a self hosted/implemented auth process). We are moving to Okta.
I’m looking for some guidance as to which flow to implement. I originally started down the authorization flow path, mainly because I had read that if you can securely store a ‘Client Secret’ you should use Authorization flow. In theory I can because I own the backend WebApi calls.
I found just about every one of the examples for C#/.Net that implement Authorization, do so with MVC controllers. Example projects that use WebApi are Implicit flow examples. Again, my project uses WebAPI.
- My client is public and is a SPA app
- Any by SPA app, the ‘SPA Lifecycle’ diagram described here: https://dotcms.com/blog/post/what-is-a-single-page-application-and-should-you-use-one- lines up exactly how my app is written.
After unsuccessfully trying to make my WebAPI controllers implement Authorization flow, I found the Implicit tutorials much easier to get going and working in my situation. Looking for confirmation is all.