I'm developing a Blazor WASM standalone front-end, connected to a ASP.NET Core 8 Web API I'm also working on. Everything is in .NET 8.
Currently, my authentication flow is pretty simple:
- User enters his credentials in the login page
- A call is done to my Web API "login" endpoint
- The Web API returns a token and refresh token
- Wasm save this in localStorage and the user is now authenticated.
- Before each httpRequest to API, an interceptor checks if the token is still valid according to the expiration time. If it's not, then wasm calls the Web API "refreshToken" endpoint.
This is currently working pretty nice.
First of all, I'm wondering if I'm actually doing it the right way.. Is it secured enough ? Wouldn't it be better to use OpenIddict in the Web API instead of doing all of this manually?
But the main question is the following one : I would like to add Google SSO to my Blazor Wasm according to the microsoft documentation and here's my plan.
- User clicks on "Sign in with google", and logs himself in
- Wasm receives a callback with an IdToken
- Wasm sends this IdToken to my Web API
- Web API verifies this is an actual valid google token, and creates the user if not exist.
- Web API returns a token and refreshToken as if the user had logged on in classic mode.
Is it the right way to do it ? What do you think about this ?
Thanks in advance for your help