Skip to content

Commit 0d82ca8

Browse files
damienboddamienbod
committed
Improve text
1 parent 6346f1f commit 0d82ca8

File tree

1 file changed

+7
-2
lines changed

1 file changed

+7
-2
lines changed

aspnetcore/security/authentication/configure-jwt-bearer-authentication.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,9 +92,14 @@ The [OAuth specifications](https://learn.microsoft.com/entra/identity-platform/a
9292

9393
A 403 forbidden response is normally returned when a business permission is missing. The authorization has nothing to do with the authentication or the standard claims used in the access token. This could be implemented using an ASP.NET requirement with a policy or also a role authorization.
9494

95-
## How OIDC/OAuth fits into this?
95+
## What role has OIDC and/or OAuth when using bearer tokens?
9696

97-
When using access tokens, only the access token is validated on the API. The process of acquiring the access token is unspecified. OpenID Connect and OAuth specify standards on how to acquire access tokens in a safe way. This process is different for every type of application. It is complicated to implement this in a safe way. This is why it is recommended to use one of the standards to create access tokens. OpenID Connect is used to create access tokens for an application and a user. These access tokens are user delegated access tokens. In a web application, a confidential OpenID Connect code flow using PKCE is the recommended way to implement this. If the application has no user, OAuth client credentials can be used to acquire an application access token.
97+
When an API uses JWT access tokens for authorization, the API only validates the access token, not on how the token was obtained.
98+
99+
OpenID Connect (OIDC) and OAuth 2.0 provide standardized, secure frameworks for token acquisition. Token acquisition varies depending on the type of app. Due to the complexity of secure token acquisition, it's highly recommended to rely on these standards:
100+
101+
* For apps acting on behalf of a user and an application: OIDC is the preferred choice, enabling delegated user access. In web apps, the confidential code flow with [Proof Key for Code Exchange](https://oauth.net/2/pkce/) (PKCE) is recommended for enhanced security.
102+
* If the app has no user: The OAuth 2.0 client credentials flow is suitable for obtaining application access tokens.
98103

99104
## Implementing JWT bearer token authentication
100105

0 commit comments

Comments
 (0)