I have a .Net core Web API that sits within the company network, it is an standalone Service that is going to be use by other applications within the network. The web API is pretty simple and has few endpoints. However, I want to restrict the access to this Web API. Only allowed given sets of applications to access this web API. Within our company we have Authentication and Authorization service that acts as an identity provider server, and we must use this service to obtain access token etc. We cannot create our own identity server to generate token. In our design phase we identify Authorization Code flow with PKCE would be an ideal implementation.
Our Identity Provider have on boarded a test client id and configured Auth Code flow with PKCE, afterwards when I configure the .net core web api I realize that we need to provide a redirect url for user login which is the point of confusion since this is a web api and does not have a login page. What I am trying to say is when we are obtaining the authorization code in the first step of Auth Code flow, I am not clear on how the redirection would work since there is no login in page to redirect in an Web API, what I mean is in obtaining the Auth Code, a redirect uri has to be provided where the user will enter user id and pass but this is an Web API there is no user/pwd, only another client app that is trying to access using Client Id. So my question is how would one use OIDC PKCE in a Web API environment, I am sure it is possible but I have failed to find any relevant documents. Any .Net core code sample would be appreciated. No we cannot use Client Secret or implicit workflow.
Looking forward to you responses.
Thank you.
question from:
https://stackoverflow.com/questions/65892234/securing-net-core-web-api-using-authorization-code-flow-with-pkce 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
