我正在制作带有认证的 SPA。
然后将 SPA 设置为可在 Blob 存储的静态网站托管上查看。
这个时候,我们想用API来保护SPA。
换句话说,我们希望在登录屏幕上获取 SPA API 的访问令牌以确保安全。
但我是初学者,了解不多。
我能够创建登录屏幕和 SPA。
现在我只需要通过 API 限制访问,请告诉我。
像这样:
SignInPage(来自 ADB2C)→ API → SPA(来自 React)
I am making a SPA with certification.
The SPA was then set up to be viewable on Blob Storage's static web site hosting.
At this time, we would like to protect the SPA with an API.
In other words, we want to obtain an access token for the API for SPA on the login screen to ensure security.
But I am a beginner and don't know much.
I am able to create a sign in screen and SPA.
Now I just need to restrict access through API, please let me know.
like this:
SignInPage(from ADB2C) → API → SPA(from React)
发布评论
评论(1)
您可能会受益于阅读和理解 Auth0 的这篇文章 - https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
主要要点是:
客户端是传统网络吗应用在服务器上执行? 使用授权代码流。
客户端是单页应用程序(SPA)吗? 使用授权代码流代码交换证明密钥 (PKCE)。
客户端是不需要访问令牌的单页应用程序 (SPA) 吗? 将隐式流程与表单发布结合使用。
客户是资源所有者吗?您可以使用客户端凭据流程。
客户端是否绝对信任用户凭据?您可以使用
资源所有者密码流程
You might benefit from reading and understand this article from Auth0 - https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/
Major take aways being:
Is the client a traditional web application executing on the server? Use the Authorization Code Flow.
Is the client a Single-Page Application (SPA)? Use Authorization Code Flow with Proof Key for Code Exchange (PKCE).
Is the client a Single-Page Application (SPA) that doesn't need an access token? Use the Implicit Flow with Form Post.
Is the client the resource owner? You may use the Client Credentials Flow.
Is the client absolutely trusted with user credentials? You may use the
Resource Owner Password Flow