Help wanted for SPA + Code Flow about oidc HOT 6 CLOSED

Any recommendations regarding my authorization requirements? I cannot do authorization with oidc currently and have to query a separate backend (ldap). Whats the best way to pair that with oidc? check roles on every request (+cache)? Using a session ? or any other idea?

Your IdP could query the LDAP and append the groups as claim to the userinfo/introspect endpoint or the tokens. The decision to cache or refresh depends on how much risk your service can take. Or in other words, if you need a high level of guarantees don't cache.

from oidc.

Thanks i consider that. Everything is clear now, so ill close.

from oidc.

Hey @fl0wx

I'm unsure if I understand the question correctly. Do you want to create a REST API in Go and us it with a SPA?
If so, I would not recommend using the steps described. The SPA should get the token(s) on its own and just send the access_token to the REST API. The API then can for example verify it using the token introspection.

from oidc.

@livio-a:

I'm unsure if I understand the question correctly. Do you want to create a REST API in Go and us it with a SPA?

yes, but authorization will be done separate (ldap groups).

If so, I would not recommend using the steps described. The SPA should get the token(s) on its own and just send the access_token to the REST API. The API then can for example verify it using the token introspection.

i read many times that this approach is not recommended because of security concerns. In that case i need to store the access token in the browser, right?

and even if i fetch the access token directly in my spa, i have the issue where to save / transmit the secret key?

from oidc.

@fl0wx :

If so, I would not recommend using the steps described. The SPA should get the token(s) on its own and just send the access_token to the REST API. The API then can for example verify it using the token introspection.

i read many times that this approach is not recommended because of security concerns. In that case i need to store the access token in the browser, right?

and even if i fetch the access token directly in my spa, i have the issue where to save / transmit the secret key?

If you use PKCE (Proof Key for Code Exchange: RFC 7636) correctly then there's not much of a concern. You will have a randomly generated validation token instead of client_secret and store the access_token in the session storage of the browser.
There are a lot of certified OIDC libraries for all common SPA languages / frameworks which will do exactly this.

For more info, please checkout the docs of our IAM as well on how to login a user into a (SPA) app:
https://docs.zitadel.ch/docs/guides/authentication/login-users

And we also have some quickstarts for some SPA frameworks (incl. Angular and React): https://docs.zitadel.ch/docs/quickstarts/introduction

On the API side, you can then use the introspection endpoint to validate if the token is (still) valid. A boolean active will be returned and depending on the implementation of your Auth Server it might return more information (username, ...)
This library will help you with that call. Check out the api example (/example/client/api) and the resource server package (/pkg/client/rs)
You could of course cache the introspection response of a token for some time (e.g. 5min) and not always introspect it on every request.

from oidc.

ok thanks, i´ll try that.

Any recommendations regarding my authorization requirements? I cannot do authorization with oidc currently and have to query a separate backend (ldap). Whats the best way to pair that with oidc? check roles on every request (+cache)? Using a session ? or any other idea?

from oidc.