OpenID Connect with SPA login page
I'm looking for some advice about implementing a login page with a separate SPA application.
Currently, we have the next configuration:
1. OpenID Connect-based Auth server (ASP.NET Core + OpenIddict)
2. A bunch of UI applications (React)
3. A bunch of API backend services (ASP.NET Core)
Our auth server contains a login page written with Razor Pages. It also includes Google authentication with the ability to use 2FA with an authenticator.
For all authorizations, we use Authorization Code Flow with PKCE.
Now we have a business requirement to create a login page for one of our react apps.
The user should be able to provide credentials inside the React app and log in to the system. Additionally, the user should be able to log in via Google in this React application.
I'm concerned about the security aspect of this requirement. And trying to figure out if I should raise my concerns to other developers and managers.
Do you see any problems with this requirement?
Is it possible to achieve this without breaking OpenID Connect flows and best practices?
0 Replies