Validate Session Server Side - Implicit Flow

m_dev · February 1, 2019, 9:50pm

My team is building an Angular SPA and we are planning on using Implicit flow as recommended. We’d like to add an additional check on the Express server hosting the Angular app to verify that the user is indeed authenticated before sending down any application code. If the User isn’t authenticated, we send them a stripped down login page that uses your Widget and libraries to log the user in, and redirect back to the Angular SPA after sign in.

My initial thought was to configure the tokenManager to store the tokens as cookies, and after these cookies are sent to the express server, create a middleware that uses the introspect endpoint to verify the access token. However, it looks like configuring the tokenManager this way isn’t an option.

Is there a recommended approach for this?

Anand · February 4, 2019, 12:00pm

Hi @m_dev

The updated recommendation from IETF for SPA is Auth Code with Pkce.

mitelone · October 29, 2020, 10:42am

Hey,

not sure if this is a best practice, but you can achieve this by creating a separate app by choosing ‘OAuth Service’. This one has client_id/client_secret - so it’s only safe to be used server-side.
You can introspect tokens created with the SPA.

Post		Replies	Views
Server Side Rendered App with Auth Flow Questions	1	4098	January 23, 2024
Approach Review Questions	2	3123	January 28, 2021
Unit Testing and Implicit Flow OAuth/OIDC	7	21156	August 17, 2021
Asp.net and angular OAuth/OIDC dotnet , angular	6	1056	May 22, 2024
Auth flow for Angular 2 Electron app Questions	6	6060	January 22, 2019

Validate Session Server Side - Implicit Flow

Related topics