How to secure all api calls in an Angular / .NET Core 2.0 application regardless of user login

1
votes

I've gone through the excellent tutorial here https://fullstackmark.com/post/13/jwt-authentication-with-aspnet-core-2-web-api-angular-5-net-core-identity-and-facebook-login to set up an Angular 5 web site with .net core 2.0 which issues JWT tokens to use to authenticate API requests.

Everything works well, a user logs in, and is then given a token which is sent as an authorization header for each API request.

My question though, is how do I secure ALL the api requests in my site, regardless of whether the user has logged in or not?

If I have a request such as /api/articles which gets all articles, I'd like anonymous visitors to the site to be able to access it through the Angular front end, but I don't want people just hitting the API and getting the data that way.

1
angularasp.net-corejwt
Use ValidateAntiForgeryToken see docs.microsoft.com/en-us/aspnet/core/security/… - Eliseo

1 Answers

0
votes

You can use OpenIDConnect / OAuth2 to identify your client, without having your user to login. With client I mean the Angular app.

The idea is that your app authenticates using the client_credentials grant. For this flow there is no user interaction required. The client gets an access_token, including the required scope for the resource, from the authentication server. Here is a sample that works with IdentityServer4.

This will secure you api and prevents that it's being targetted directly. However, this does not guarantee that the user cannot read the token from the request and use it without the app.

But if you combine this with AntiForgeryTokens (also for GET) and make the access_tokens shortlived, then it's certainly not worthwhile to do so.

Once the user logs in, you can switch to the new access_token that contains the information about the user.