I’m working on a React single-page app served by ASP.NET Core MVC. The SPA talks to external APIs, while the MVC backend just serves the initial app. We’re using ADFS for OAuth, which doesn’t support client secrets. It gives an auth code based on client ID and user login, then we need to make another request for the auth token.
I’m wondering if there’s any reason to handle this OAuth flow in the MVC backend instead of the frontend. Since ADFS doesn’t use client secrets, I’m not sure if there’s any advantage to doing it server-side. What are the pros and cons of each approach? Has anyone dealt with a similar setup before?
// Example backend code (if we go that route)
public async Task<IActionResult> GetAuthToken(string authCode)
{
var tokenRequest = new TokenRequest
{
Code = authCode,
ClientId = _config.ClientId,
RedirectUri = _config.RedirectUri
};
var response = await _httpClient.PostAsJsonAsync("token-endpoint", tokenRequest);
var token = await response.Content.ReadFromJsonAsync<TokenResponse>();
return Ok(token);
}
Any insights would be much appreciated!
yo, i’ve dealt with this before. honestly, frontend handling is way easier. less server overhead, ya know? plus, no real security boost with backend for ADFS.
just make sure u encrypt everything properly n use https. oh and dont forget to handle token refresh in ur SPA. thats crucial.
gl with ur project!
Having implemented a similar setup, I can share some insights.
In our case, we opted for handling the OAuth flow in the frontend for simplicity and reduced server load. Since ADFS doesn’t use client secrets, there’s no significant security advantage to server-side handling.
However, one potential benefit of backend processing is centralized token management. You could store and refresh tokens server-side, which might be useful if multiple frontend instances need to share authentication state.
Ultimately, the decision depends on your specific requirements. If you need fine-grained control over token handling or want to implement additional security measures, the backend approach might be preferable. Otherwise, keeping it in the frontend can lead to a more streamlined architecture and potentially better performance.
Remember to implement proper security measures regardless of your chosen approach, such as using HTTPS and securely storing tokens.
hey there! curious about ur setup. have u considered using a hybrid approach? like, handling initial auth in the frontend but then passing the token to the backend for validation and storage? could give u best of both worlds. what kinda specific security concerns do u have? maybe we could brainstorm some creative solutions together?