These talks never describe the flow 99% of people use, SPA and a .NET backend. No downstream services called. What am I supposed to with access token if I only need to call my API? OpenIdConnect library only builds the claims principal based on the ID token. And the specs say "never look into the access token", so just throw it away?
You can use the claims/scopes to restrict actions a user can execute on the backend. 21:03 the SPA doesn't look at the token but the backend MUST or it's not authenticating anything.
I sympathize… I have scoured the web for some simple tutorials or examples on how to authenticate a simple Angular SPA with a Flask backend against an Oauth2 provider (AzureAD or whatever it is now called in my case). Nothing…
These talks never describe the flow 99% of people use, SPA and a .NET backend. No downstream services called. What am I supposed to with access token if I only need to call my API? OpenIdConnect library only builds the claims principal based on the ID token. And the specs say "never look into the access token", so just throw it away?
well there is "the good parts" suffix, just like JS vs JS the good parts book.....
The SPA requests an access token from the IDP and sends it to the backend, via a Bearer token as proof the user is who they say they are.
Why would we need to look into access token when it’s really meant for the API/Resource server that the client calls?
You can use the claims/scopes to restrict actions a user can execute on the backend.
21:03 the SPA doesn't look at the token but the backend MUST or it's not authenticating anything.
I sympathize… I have scoured the web for some simple tutorials or examples on how to authenticate a simple Angular SPA with a Flask backend against an Oauth2 provider (AzureAD or whatever it is now called in my case). Nothing…
Worst explanation ever!