Hi,
I’m facing the challenge of implementing Auth0 flow in our customer’s system, but I’m not sure which flow to choose.
What we have is SPA in Angular and backend in .NET Core (API - not MVC). The business need is to have fully customized pages (e.g. login and password reset). And (what is more important imo) NOT to have any redirects to external providers during log-in process, so if I’m not wrong implicit flow and authorization flow (purely frontend approaches) don’t fit there.
I looked through a lot of articles and I think that Resource Owner Password Flow fits the best in my case. I plan to send client credentials (usernamne and password) from SPA to backend and then authenticate user from backend side using this: https://auth0.com/docs/api/authentication (Resource Owner Password request to /oauth/token)
However, I am not convinced that what I’m doing is not an anti-pattern, that’s why I have a few questions:
- Is what I described the only one option for my business requirements, or is there something better?
- I need to register my backned in .NET Core as an API in the Auth0, but how to register Application (spa, regular web app)?
- As far as I know, it is possible to authenticate from the SPA without sending client_secret, but don’t know if it won’t be a vulnerability? (it would then be possible to implement login on the frontend side)
Thanks