Do we need to craete 2 clients, One for SPA another for WebAPI?

Do we need to create 2 clients? One for SPA another for WebAPI. The reason is for the SPA client, we set the Access Type as “Public” which does not have the authorization feature but we need authorization function to be work for the WebAPI. My front is Vue and Backend WebAPI is core 3.1.

That is a common way to solve the problem. Create a “public” client for the SPA and a “confidential” client for the API.

why is it not secure to use a client with public access type on the backend?


It depends on your use case. Generally, configuring a Client for use with a backend service will be “confidential” or “bearer-only”. This is because the only way it will ever be accessed is by being passed a token that is created on the frontend by a login session, or through a client-credentials grant. It doesn’t really make sense to have a Client for use with a backend service be “public” as this implies it will be redirecting users who access it directly through a public auth flow.

Hi, thanks for the explanation. I would like to learn more about the actions that the backend client does.

I know the backend, when receiving the token from the frontend, contacts the Auth server to validate the token.

However, I don’t understand why a configuration with the client for the backend configured with Access Type “public” is less secure. How is the secret used in the token validation process?

The URL of the Auth Server cannot change and if someone else contacts my Auth Server on that Client Id I don’t think it can create problems.

Why would that be a less secure solution?