DEV Community

Discussion on: #05: Securing Static Web Apps

Collapse
 
nitya profile image
Nitya Narasimhan, Ph.D

Thank you!! Genuinely made my day - you can tell this is a labor of love for all of us.

Just to clarify:
You want a client (System A) to invoke an API endpoint in the SWA (System B)
where the API endpoint requires you to be authenticated before you can use it?

I see the workflow being something like:

  • The SWA would have the API route endpoint set up to require an allowedRole of "authenticated" - which means anyone trying to access it would be redirected to the login API endpoint before they are allowed to proceed.
  • The client would then invoke the API endpoint - and if it is already authenticated, it gets a valid response, else it will be asked to login first, then redirected to the API when done. See: Securing Routes with Roles

However, I think you may be asking if there are ways to customize that authentication workflow - that would require the SWA implementor to explore custom authentication options.

For instance - if AAD is used, the SWA can configure the types of accounts that can sign in and streamline the login process for trusted organizations.

Does this help? If not, perhaps you can give me an example use case and I'd be happy to follow up :-)

Collapse
 
layzee profile image
Lars Gyrup Brink Nielsen

I'm thinking of the OAuth 2.0 Client Credentials flow.

Say my Azure Static Web App has a connected Azure AD, an Azure AD B2C provider, or is there a built-in identity provider?

External Service B wants to access Static Web App API A:

  1. External Service B goes where to request an access token using client credentials (client ID + client secret)?
  2. External Service B attaches the Bearer access token to the Authorization HTTP request header for Static Web App API A?
  3. How does Azure Static Web App API A validate the access token?
  4. How does the Azure Static Web API A authorize the access token permissions?
Thread Thread
 
mkarmark profile image
mkarmark

We currently only support browser logins for authentication. We do not have support for service to service auth, or any form of token validation.

Thread Thread
 
layzee profile image
Lars Gyrup Brink Nielsen

Thank you for clarifying and once again thank you for this article. The role assignment by Function is interesting 👀