Facebook API Question posted in
The official documentation for the Facebook APIs can be found here.

Resource-owner password credentials grant suitability for first-party login

I have a public-facing application that uses ASP.NET Core Identity to store first-party logins, and no intention of using third-party IdPs like Facebook or Google. I want to build the front-end in React, and the application comprises an API fronting a couple of back-end services to which I’ll need to forward JWTs for authorisation.

The plan so far is to use Identity Server 4 as the IdP for the project, backing it into the ASP.NET Core Identity data stores.

Current guidance is to use Authorization Code Flow with PKCE, which would require redirection to the IdP, two sets of styling etc.

In this scenario, where there is no possibility of a third-party IdP, is Resource Owner Password Grant still highly discouraged? On the face of it, it gives a neater experience:

  • User populates React-based login page
  • XHR POST to IdP with credentials (modulo an MFA challenge)
  • IdP returns an access token, React app subsequently uses that for future requests to the API

What issues will I introduce by pursuing the ROPC grant in this specific situation, vs accepting the need and duplication involved in a redirect-based flow to the IdP?

Tags:

2

Answers


  1. 0

    You can create a React based Identity Server login page for Authorization Code flow with PKCE instead of using MVC UI if you want. It is just extra work and complicated. I would recommend you just style the Identity Server MVC UI to look exactly like your frontend SPA. This is the simplest way and the path I took when I did a project with Identity Server(with Angular as front end).

    Login or Signup to reply.
  2. 0

    AMOUNT OF WORK

    This is one of the big issues. As well as a login screen you’ll have to make sure other areas such as Forget Password also work. If you build a second app you’ll need to make it work there also.

    EXTENSIBILITY

    This article summarises problem areas. One of these is no scope to ever extend login solutions.

    SECURITY

    Token refresh does not (usually) work with ROPG, which leads to long lived access tokens and other complexity. Also, with OAuth it is recommended that the app never sees credentials.

    From a security viewpoint it looks more modern to redirect the user – all the big providers do it – eg Google, Microsoft.

    BRIDGING SOLUTION

    As you say, if the password is private to your app it may not be the worst thing in the world. Capturing a user’s Google password in your app would be a bad thing though.

    ROPG has its uses but does not have much of a future – it is deprecated in OAuth 2.1 and providers will be getting rid of it. So I would also recommend what LalitaCode suggests ..

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search