Question: Implicit Flow about aspnet6identityserver4angularoidcflows HOT 5 CLOSED

Not so sure I understand, but the OIDC implicit flow should be used if you are doing authentication; flow 'id_token'. The access token is not required if you do no API calls.

It is not possible to set a refresh token with this flow. The idea is that you use a silent renew to get the new tokens in a background task in an iframe. User does not notice anything here.

from aspnet6identityserver4angularoidcflows.

I think I was not very clear. We are creating an Angular application requiring authentication. That means we must use implicit flow. So if I understand correctly, the silent renew is used to keep the user logged in.

In order to authorize the user, from calling restricted APIs, that is not related to the implicit flow, correct? I tend to confuse one and the other.

from aspnet6identityserver4angularoidcflows.

To call APIs you need to get an access token from the STS server. This is done as part of the OIDC Implicit Flow 'id_token token'. The access token is validated as part of this flow. You need to be sure that the access token is for you. Then you can used this access token to access the APIs. The silent renew refreshes both tokens. Don't forget to implement a good CSP header for you app as well.

The id_token is used for the application, roles, claims etc are in JWT token. The access token should not be opened by the client application. Only the API used this. The angular app receives this and sends it in the header of the api requests.

from aspnet6identityserver4angularoidcflows.

So to clarify, in the response, 'id_token' is the JWT token and 'token' is received as 'access_token' and 'token_type': "Bearer", correct?

from aspnet6identityserver4angularoidcflows.

@nvella88 yes, this is correct

from aspnet6identityserver4angularoidcflows.