❔ Auth implementation sanity check
The project is using next.js and asp.net. I want to have auth for multiple IDPs (Google, FB, etc.), and want to use ROPC flow as well.
Currently, there is only Google's oauth for testing purposes.
Im using next-auth for authentication. Once user is logged in and wants to access some protected resource, they will send the request to the asp.net (along with an access token). Once the token introspection succeeded, user get its resources.
That flow works just fine (along with refresh token rotation). Now I want to add 2 things: Authorization and ROPC. Where should I do that?
I was thinking about using openiddict for ROPC flow (but that would introduce another server for pretty much nothing) and to do the Authorization on the openiddict side.
Or maybe do both ROPC and Authorization on the asp.net. I can use next-auth for ROPC, but Id rather not access the database from there.
I definitely made it more complicated with the next-auth part, since I wanted to separate the client and the resource server..
Sooo what do you think?
Currently, there is only Google's oauth for testing purposes.
Im using next-auth for authentication. Once user is logged in and wants to access some protected resource, they will send the request to the asp.net (along with an access token). Once the token introspection succeeded, user get its resources.
That flow works just fine (along with refresh token rotation). Now I want to add 2 things: Authorization and ROPC. Where should I do that?
I was thinking about using openiddict for ROPC flow (but that would introduce another server for pretty much nothing) and to do the Authorization on the openiddict side.
Or maybe do both ROPC and Authorization on the asp.net. I can use next-auth for ROPC, but Id rather not access the database from there.
I definitely made it more complicated with the next-auth part, since I wanted to separate the client and the resource server..
Sooo what do you think?
